diff --git a/configuration.nix b/configuration.nix index 31121ac..d6275a6 100644 --- a/configuration.nix +++ b/configuration.nix @@ -15,6 +15,8 @@ in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ./egirls-qa.nix + ./postfix.nix + #./stalwart.nix #./vpn.nix #/home/jaina/src/nix-deployments/nordvpn/containers.nix #/home/jaina/src/nix-deployments/refactor/nixos-containers.nix @@ -109,6 +111,7 @@ in { # # }) # ]; + #nixpkgs.overlays = [ (self: prev: { mesa = prev.unstable.mesa; }) ]; hardware.opengl = { enable = true; @@ -341,6 +344,76 @@ in { 21027 ]; + services.nginx = { + enable = true; + package = pkgs.openresty; + + proxyCachePath."media_cache" = { + enable = true; + maxSize = "1g"; + inactive = "10m"; + keysZoneName = "media_cache"; + }; + + virtualHosts."media.dev.egirls.gay" = { + listen = [ + { + port = 443; + addr = "0.0.0.0"; + ssl = true; + } + { + port = 80; + addr = "0.0.0.0"; + } + ]; + useACMEHost = "ANY.dev.egirls.gay"; + forceSSL = true; + + extraConfig = '' + + proxy_cache media_cache; + proxy_cache_valid 200 10m; + proxy_cache_lock on; + + add_header X-Cache $upstream_cache_status; + proxy_ignore_headers X-Accel-Expires Expires Cache-Control; + proxy_hide_header X-Amz-ID-2; + proxy_hide_header X-Amz-Request-ID; + proxy_hide_header X-Wasabi-CM-Reference-ID; + + proxy_hide_header Set-Cookie; + proxy_ignore_headers Set-Cookie; + ''; + + locations."/".extraConfig = "return 404;"; + + locations."/misskey/" = { + #recommendedProxySettings = true; + extraConfig = '' + proxy_http_version 1.1; + + include /etc/nixos-secrets/s3-access-nginx.conf; + + set $s3_bucket 'egirls-gay-misskey'; + set $path_full '/$s3_bucket$request_uri'; + + set_by_lua $now "return ngx.http_time(ngx.time())"; + set $signature_string "GET\n\n\n\nx-amz-date:''${now}\n$path_full"; + set_hmac_sha1 $s3_signature $s3_secret $signature_string; + set_encode_base64 $s3_signature_b64 $s3_signature; + + proxy_set_header x-amz-date $now; + proxy_set_header Authorization "AWS $s3_access:$s3_signature_b64"; + + proxy_ssl_session_reuse on; + rewrite .* $path_full break; + proxy_pass https://s3.us-west-1.wasabisys.com; + ''; + }; + }; + }; + # networking.nat = { # enable = true; # internalInterfaces = [ "ve-vpn" ]; diff --git a/postfix.nix b/postfix.nix new file mode 100644 index 0000000..1818103 --- /dev/null +++ b/postfix.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: + +{ + services.postfix = { + enable = true; + enableSubmission = true; + + extraConfig = '' + inet_interfaces = 127.0.0.1 + ''; + }; +} diff --git a/stalwart.nix b/stalwart.nix new file mode 100644 index 0000000..964e1b7 --- /dev/null +++ b/stalwart.nix @@ -0,0 +1,57 @@ +{ config, pkgs, lib, ... }: + +let + user = "stalwart-mail"; + group = user; + database = user; + domain = "mail.heartles.xyz"; +in { + users.users."${user}" = { + isSystemUser = true; + group = "${group}"; + }; + users.groups."${group}" = { members = [ user ]; }; + + security.acme = { + acceptTerms = true; + defaults.email = "admin+acme@heartles.xyz"; + certs."${domain}" = { + inherit domain group; + dnsProvider = "namecheap"; + credentialsFile = "/etc/nixos-secrets/namecheap-acme"; + }; + }; + + # services.postgresql = { + # enable = true; + # ensureDatabases = [ "${database}" ]; + # ensureUsers = [{ + # name = "${user}"; + # ensureDBOwnership = true; + # }]; + # }; + + services.stalwart-mail = { + enable = true; + package = let version = "0.7.0"; + in pkgs.stalwart-mail.overrideAttrs (final: prev: { + inherit version; + src = pkgs.fetchFromGitHub { + owner = "stalwartlabs"; + repo = "mail-server"; + rev = "v${version}"; + hash = "sha256-Ah53htK38Bm2yGN44IiC6iRWgxkMVRtrNvXXvPh+SJc="; + fetchSubmodules = true; + }; + }); + settings = { + server.hostname = domain; + lookup.default = { hostname = domain; }; + + server.listener."smtp" = { + bind = [ "[::]:25" ]; + protocol = "smtp"; + }; + }; + }; +}