ryan.freumh.org
+27
flake.lock
+27
flake.lock
···
+11
flake.nix
+11
flake.nix
+14
modules/default.nix
+14
modules/default.nix
···
+17
modules/dns/bind.nix
+17
modules/dns/bind.nix
···
+75
modules/dns/default.nix
+75
modules/dns/default.nix
···
+20
modules/dns/zonefile.nix
+20
modules/dns/zonefile.nix
···+(builtins.map (rr: "${rr.name} IN ${builtins.toString rr.ttl} ${rr.type} ${rr.data}") cfg.records)
+15
modules/hosting/default.nix
+15
modules/hosting/default.nix
+58
modules/hosting/dns.nix
+58
modules/hosting/dns.nix
···
+88
modules/hosting/gitea.nix
+88
modules/hosting/gitea.nix
···
+81
modules/hosting/mailserver.nix
+81
modules/hosting/mailserver.nix
···+data = "\"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6YmYYvoFF7VqtGcozpVQa78aaGgZdvc5ZIHqzmkKdCBEyDF2FRbCEK4s2AlC8hhc8O4mSSe3S4AzEhlRgHXbU22GBaUZ3s2WHS8JJwZvWeTjsbXQwjN/U7xpkqXPHLH9IVfOJbHlp4HQmCAXw4NaypgkkxIGK0jaZHm2j6/1izQIDAQAB\"";
+79
modules/hosting/mastodon.nix
+79
modules/hosting/mastodon.nix
···
+112
modules/hosting/matrix.nix
+112
modules/hosting/matrix.nix
···
+78
modules/mailserver/borgbackup.nix
+78
modules/mailserver/borgbackup.nix
···+compressionFragment = lib.concatStringsSep "," (lib.flatten [autoFragment methodFragment levelFragment]);+compression = lib.optionalString (compressionFragment != "") "--compression ${compressionFragment}";+(if cfg.encryption.passphraseFile != null then ''env BORG_PASSPHRASE="$(cat ${passphraseFile})"''+${passphraseFragment} ${pkgs.borgbackup}/bin/borg init ${extraInitArgs} --encryption ${encryptionFragment} || true+${passphraseFragment} ${pkgs.borgbackup}/bin/borg create ${extraCreateArgs} ${compression} ::${name} ${locations}
+30
modules/mailserver/clamav.nix
+30
modules/mailserver/clamav.nix
···
+48
modules/mailserver/common.nix
+48
modules/mailserver/common.nix
···+mkHashFile = name: hash: pkgs.writeText "${builtins.hashString "sha256" name}-password-hash" hash;
+4
modules/mailserver/debug.nix
+4
modules/mailserver/debug.nix
+1043
modules/mailserver/default.nix
+1043
modules/mailserver/default.nix
···+description = "Secondary domains and subdomains for which it is necessary to generate a certificate.";+example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";+hashedPassword = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";+hashedPassword = "$6$oE0ZNv2n7Vk9gOf$9xcZWCCLGdMflIfuA0vR1Q1Xblw6RZqPrP94mEit2/81/7AKj2bqUai5yPyWE.QYPyv6wLMHZvjw3Rlg7yTCD/";+enable = lib.mkEnableOption "Full text search indexing with xapian. This has significant performance and disk space cost.";+description = "Memory limit for the indexer process, in MiB. If null, leaves the default (which is rather low), and if 0, no limit.";+description = "When to run the maintenance job. See systemd.time(7) for more information about the format.";+description = "Run the maintenance job not exactly at the time specified with <literal>onCalendar</literal>, but plus or minus this many seconds.";+For instance when using "." then in a sieve script "example.com" would refer to the mailbox "com" in the parent mailbox "example".+Runs a local DNS resolver (kresd) as recommended when running rspamd. This prevents your log file from filling up with rspamd_monitored_dns_mon entries.+defaultText = lib.literalDocBook "computed from <option>config.services.redis.servers.rspamd.bind</option>";+if failed host ${cfg.fqdn} port 993 type tcpssl sslauto protocol imap for 5 cycles then restart+description = "When or how often the backup should run. Must be in the format described in systemd.time 7.";+description = "Leaves it to borg to determine whether an individual file should be compressed.";+This is called prior to borg init in the same script that runs borg init and create and cmdPostexec.+It is recommended to use the default value because the quicker kexec reboot has a number of problems.+Also if your server is running in a virtual machine the regular reboot will already be very quick.+The command to be executed before each backup operation. This is wrapped in a shell script to be called by rsnapshot.+description = "The command to be executed after each backup operation. This is wrapped in a shell script to be called by rsnapshot.";
+324
modules/mailserver/dovecot.nix
+324
modules/mailserver/dovecot.nix
···+for f in ${builtins.toString (lib.mapAttrsToList (name: value: passwordFiles."${name}") cfg.loginAccounts)}; do+"${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"+junkMailboxes = builtins.attrNames (lib.filterAttrs (n: v: v ? "specialUse" && v.specialUse == "Junk") cfg.mailboxes);+message = "nixos-mailserver requires exactly one dovecot mailbox with the 'special use' flag set to 'Junk' (${builtins.toString junkMailboxNumber} have been found)";+modules = [ pkgs.dovecot_pigeonhole ] ++ (lib.optional cfg.fullTextSearch.enable pkgs.dovecot_fts_xapian );+fts_xapian = partial=${toString cfg.fullTextSearch.minSize} full=${toString cfg.fullTextSearch.maxSize} attachments=${bool2int cfg.fullTextSearch.indexAttachments} verbose=${bool2int cfg.debug}+${lib.strings.concatImapStringsSep "\n" (n: x: "fts_autoindex_exclude${if n==1 then "" else toString n} = ${x}") cfg.fullTextSearch.autoIndexExclude}+systemd.services.dovecot-fts-xapian-optimize = lib.mkIf (cfg.fullTextSearch.enable && cfg.fullTextSearch.maintenance.enable) {+systemd.timers.dovecot-fts-xapian-optimize = lib.mkIf (cfg.fullTextSearch.enable && cfg.fullTextSearch.maintenance.enable && cfg.fullTextSearch.maintenance.randomizedDelaySec != 0) {
+15
modules/mailserver/dovecot/imap_sieve/report-ham.sieve
+15
modules/mailserver/dovecot/imap_sieve/report-ham.sieve
···
+7
modules/mailserver/dovecot/imap_sieve/report-spam.sieve
+7
modules/mailserver/dovecot/imap_sieve/report-spam.sieve
+3
modules/mailserver/dovecot/pipe_bin/sa-learn-ham.sh
+3
modules/mailserver/dovecot/pipe_bin/sa-learn-ham.sh
+3
modules/mailserver/dovecot/pipe_bin/sa-learn-spam.sh
+3
modules/mailserver/dovecot/pipe_bin/sa-learn-spam.sh
+28
modules/mailserver/environment.nix
+28
modules/mailserver/environment.nix
···
+27
modules/mailserver/kresd.nix
+27
modules/mailserver/kresd.nix
···
+32
modules/mailserver/monit.nix
+32
modules/mailserver/monit.nix
···
+37
modules/mailserver/networking.nix
+37
modules/mailserver/networking.nix
···
+44
modules/mailserver/nginx.nix
+44
modules/mailserver/nginx.nix
···
+88
modules/mailserver/opendkim.nix
+88
modules/mailserver/opendkim.nix
···+(dom: "${dom} ${dom}:${cfg.dkimSelector}:${cfg.dkimKeyDirectory}/${dom}.${cfg.dkimSelector}.key")));
+46
modules/mailserver/post-upgrade-check.nix
+46
modules/mailserver/post-upgrade-check.nix
···+systemd.services.nixos-upgrade.serviceConfig.ExecStartPost = pkgs.writeScript "post-upgrade-check" ''+# This is just an educated guess. If the links do not differ the kernels might still be different, according to spacefrogg in #nixos.+echo "kernel version seems unchanged, skipping reboot" | systemd-cat --priority 4 --identifier "post-upgrade-check";+echo "kernel path changed, possibly a new version" | systemd-cat --priority 2 --identifier "post-upgrade-check"
+269
modules/mailserver/postfix.nix
+269
modules/mailserver/postfix.nix
···+in lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs);+denied_recipients_file = builtins.toFile "denied_recipients" (lib.concatStringsSep "\n" denied_recipients_postfix);+reject_senders_file = builtins.toFile "reject_senders" (lib.concatStringsSep "\n" (reject_senders_postfix)) ;+reject_recipients_file = builtins.toFile "reject_recipients" (lib.concatStringsSep "\n" (reject_recipients_postfix)) ;+smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";+virtual = lookupTableToString (mergeLookupTables [all_valiases_postfix catchAllPostfix forwards]);+milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
+59
modules/mailserver/rsnapshot.nix
+59
modules/mailserver/rsnapshot.nix
···
+119
modules/mailserver/rspamd.nix
+119
modules/mailserver/rspamd.nix
···+scan_mime_parts = false; # scan mail as a whole unit, not parts. seems to be needed to work at all+requires = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");+after = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
+83
modules/mailserver/systemd.nix
+83
modules/mailserver/systemd.nix
···
+101
modules/mailserver/users.nix
+101
modules/mailserver/users.nix
···
+66
modules/wireguard/default.nix
+66
modules/wireguard/default.nix
···
+10
modules/wireguard/generate-key.sh
+10
modules/wireguard/generate-key.sh
+39
modules/wireguard/server.nix
+39
modules/wireguard/server.nix
···