diff options
| -rw-r--r-- | config/mail-server.nix | 10 | ||||
| -rw-r--r-- | config/web-server.nix | 13 | ||||
| -rw-r--r-- | machines/dragon.nix | 79 |
3 files changed, 26 insertions, 76 deletions
diff --git a/config/mail-server.nix b/config/mail-server.nix index 4303912..9ea07f7 100644 --- a/config/mail-server.nix +++ b/config/mail-server.nix @@ -3,8 +3,8 @@ networking.firewall.allowedTCPPorts = [ 25 465 587 ]; services.dovecot2 = { enable = true; - sslServerCert = "${config.security.acme.directory}/shape.orbekk.com/fullchain.pem"; - sslServerKey = "${config.security.acme.directory}/shape.orbekk.com/key.pem"; + sslServerCert = "/var/lib/acme/shape.orbekk.com/fullchain.pem"; + sslServerKey = "/var/lib/acme/shape.orbekk.com/key.pem"; enablePAM = false; extraConfig = '' passdb { @@ -75,8 +75,8 @@ kasiunia: ${katharina} kat: ${katharina} lise: ${lise} ''; - sslCert = "${config.security.acme.directory}/shape.orbekk.com/fullchain.pem"; - sslCACert = "${config.security.acme.directory}/shape.orbekk.com/fullchain.pem"; - sslKey = "${config.security.acme.directory}/shape.orbekk.com/key.pem"; + sslCert = "/var/lib/acme/shape.orbekk.com/fullchain.pem"; + sslCACert = "/var/lib/acme/shape.orbekk.com/fullchain.pem"; + sslKey = "/var/lib/acme/shape.orbekk.com/key.pem"; }; } diff --git a/config/web-server.nix b/config/web-server.nix index 77a508a..bd2c35d 100644 --- a/config/web-server.nix +++ b/config/web-server.nix @@ -6,6 +6,9 @@ { imports = [ ./orbekk-pkgs.nix ]; + security.acme.acceptTerms = true; + security.acme.email = "kj@orbekk.com"; + networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx = { enable = true; @@ -49,17 +52,17 @@ autoindex on; ''; }; - locations."/stats" = { + locations."/stats/" = { alias = "/var/lib/stats/out/"; extraConfig = "autoindex on;"; }; - locations."/munin" = { + locations."/munin/" = { alias = "/var/www/munin/"; extraConfig = "autoindex on;"; }; - locations."/mpd" = { - proxyPass = "http://${mpd_loc.address}:${toString mpd_loc.port}/"; - }; + locations."/mpd" = { + proxyPass = "http://${mpd_loc.address}:${toString mpd_loc.port}/"; + }; #locations."/systemd" = { # proxyPass = "http://10.0.20.15:11105/"; #}; diff --git a/machines/dragon.nix b/machines/dragon.nix index a7ae3ad..39e4bc8 100644 --- a/machines/dragon.nix +++ b/machines/dragon.nix @@ -19,19 +19,20 @@ in ../config/munin-master.nix ../config/vpn-server.nix ../config/terraria.nix - ../config/pjournal.nix + # ../config/pjournal.nix ]; - services.pjournal = { - enable = true; - port = (import ../data/aliases.nix).services.pjournal.port; - }; + # services.pjournal = { + # enable = true; + # port = (import ../data/aliases.nix).services.pjournal.port; + # }; environment.systemPackages = with pkgs; [ ipmitool ]; + # environment.etc."dhcpcd.duid".text = duid; - systemd.services.dhcpcd.preStart = '' - cp ${pkgs.writeText "duid" "${duid}"} /var/db/dhcpcd/duid - ''; + # systemd.services.dhcpcd.preStart = '' + # cp ${pkgs.writeText "duid" "${duid}"} /var/db/dhcpcd/duid + # ''; programs.mosh.enable = true; @@ -45,50 +46,6 @@ in # packages = [ pkgs.lxc pkgs.apparmor-parser ]; #}; - # containers.kick = { - # autoStart = true; - # hostBridge = "br0"; - # privateNetwork = true; - # config = { config, pkgs, ... }: { - # system.activationScripts = { - # resolvconf = { - # text = '' - # chmod +w /etc/resolv.conf - # echo nameserver 2001:4860:4860::8888 >> /etc/resolv.conf - # chmod -w /etc/resolv.conf - # ''; - # }; - # }; - # networking.firewall.allowedTCPPorts = [ 80 443 ]; - # networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ]; - # services.nginx = { - # enable = true; - # virtualHosts = { - # "kick.orbekk.no" = { - # enableACME = true; - # addSSL = true; - # }; - # }; - # }; - # environment.systemPackages = [ - # pkgs.simp_le pkgs.certbot - # ]; - # # nixpkgs.config.packageOverrides = pkgs: { - # # simp_le = pkgs.stdenv.mkDerivation { - # # name = "simp_le"; - # # nativeBuildInputs = [ pkgs.makeWrapper ]; - # # buildCommand = '' - # # mkdir -p $out/bin - # # makeWrapper "${pkgs.simp_le}/bin/simp_le" $out/bin/simp_le \ - # # --add-flags "--server https://api.buypass.com/acme/directory" \ - # # --add-flags "--email kj@orbekk.com" \ - # # --add-flags "--tos_sha256 07c2ac41aff33fe06e27447ea592c503f22967fd43b0e8500cbc8452f28a4bf1" - # # ''; - # # }; - # # }; - # }; - # }; - boot = { kernelParams = [ "console=tty0" ''console="ttyS0,115200n8"'' ]; kernel.sysctl = { @@ -126,21 +83,11 @@ in duid ipv6ra_noautoconf debug + interface br0 + clientid ${duid} + ipv6ra_noautoconf + dhcp6 ''; - - # interfaces.br0.ip6 = [ - # # { address = "2001:470:8e2e:20:eca0:41ff:feef:92"; prefixLength = 64; } - # { address = "2001:470:8e2e:20::d"; prefixLength = 64; } - # ]; - - # Managed with dhcpv6 now. - # localCommands = '' - # sleep 10 - # echo setting up routes - # ip -6 addr add 2001:470:8e2e:20::d/64 dev br0 || true - # ip -6 route replace default via fe80::822a:a8ff:fe4d:f5d6 dev br0 metric 0 src 2001:470:8e2e:20::d || true - # ip route replace default via 10.0.20.1 dev br0 metric 0 || true - # ''; }; # Required to enable password authentication for one user. |