8 files changed, 347 insertions, 0 deletions

diff --git a/hosts/cloud/spanm/configuration.nix b/hosts/cloud/spanm/configuration.nix
new file mode 100644
index 0000000..0ec8bf2
--- /dev/null
+++ b/hosts/cloud/spanm/configuration.nix
@@ -0,0 +1,66 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "spanmail"; # Define your hostname.
+  #
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  networking.interfaces.ens160.ipv4.addresses = [ {
+   address = "185.32.214.66";
+   prefixLength = 22;
+   } ];
+  networking.defaultGateway = "185.32.212.1";
+  
+  networking.nameservers = [ "185.32.212.3" ];
+
+  # Set your time zone.
+  time.timeZone = "Europe/Zurich";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKD2DxTdE7vekp+BTifuB9gPoIPdaFSGkgVblA5MbTh"
+];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+
+}
diff --git a/hosts/cloud/spanm/flake.lock b/hosts/cloud/spanm/flake.lock
new file mode 100644
index 0000000..6bc7bd0
--- /dev/null
+++ b/hosts/cloud/spanm/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1704008649,
+        "narHash": "sha256-rGPSWjXTXTurQN9beuHdyJhB8O761w1Zc5BqSSmHvoM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d44d59d2b5bd694cd9d996fd8c51d03e3e9ba7f7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/hosts/cloud/spanm/flake.nix b/hosts/cloud/spanm/flake.nix
new file mode 100644
index 0000000..b801212
--- /dev/null
+++ b/hosts/cloud/spanm/flake.nix
@@ -0,0 +1,16 @@
+{
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+
+  outputs = { nixpkgs, ... }:
+    {
+      nixosConfigurations.spanmail = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./configuration.nix
+          ./users.nix
+          ./packages.nix
+          ./mail.nix
+        ];
+      };
+    };
+}
diff --git a/hosts/cloud/spanm/hardware-configuration.nix b/hosts/cloud/spanm/hardware-configuration.nix
new file mode 100644
index 0000000..fad27b2
--- /dev/null
+++ b/hosts/cloud/spanm/hardware-configuration.nix
@@ -0,0 +1,36 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "mptspi" "ahci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/7a5731fc-56f0-4ce5-9dbe-dec8d1ba25db";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/066C-4E19";
+      fsType = "vfat";
+    };
+ swapDevices = [ {
+    device = "/var/lib/swapfile";
+    size = 4*1024;
+  } ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens160.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/hosts/cloud/spanm/mail.nix b/hosts/cloud/spanm/mail.nix
new file mode 100644
index 0000000..d020fec
--- /dev/null
+++ b/hosts/cloud/spanm/mail.nix
@@ -0,0 +1,67 @@
+{ config, pkgs, ... }: {
+  imports = [
+    (builtins.fetchTarball {
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-23.11/nixos-mailserver-nixos-23.11.tar.gz";
+      # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
+      # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
+
+      sha256 = "122vm4n3gkvlkqmlskiq749bhwfd0r71v6vcmg1bbyg4998brvx8";
+    })
+  ];
+
+  services.dovecot2.sieve.extensions = [ "fileinto" ];
+  mailserver = {
+    enable = true;
+    fqdn = "mail.spandrell.ch";
+    domains = [ "spandrell.ch" ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    loginAccounts = {
+      "s@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/mail.key";
+      };
+      "book@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/mail.key";
+      };
+      "site@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/mail.key";
+      };
+      "lol@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/mail.key";
+      };
+      "sub@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/mail.key";
+      };
+      "security@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/mail.key";
+      };
+      "parallax@spandrell.ch" = {
+        hashedPassword = "$2y$12$RVCKyEwpPmQLznKOgtXiBOR3nRy5aT3rFMtypJiDe6xFPfi/r3TXq";
+      };
+      "finnem@spandrell.ch" = {
+        hashedPasswordFile = "/home/span/finnem.key";
+      };
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = "acme-nginx";
+  };
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "security@spandrell.ch";
+  services.roundcube = {
+     enable = true;
+     # this is the url of the vhost, not necessarily the same as the fqdn of
+     # the mailserver
+     hostName = "mail.spandrell.ch";
+     extraConfig = ''
+       # starttls needed for authentication, so the fqdn required to match
+       # the certificate
+       $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+       $config['smtp_user'] = "%u";
+       $config['smtp_pass'] = "%p";
+     '';
+  };
+  services.nginx.enable = true;
+}
diff --git a/hosts/cloud/spanm/nginx.nix b/hosts/cloud/spanm/nginx.nix
new file mode 100644
index 0000000..cda5ab4
--- /dev/null
+++ b/hosts/cloud/spanm/nginx.nix
@@ -0,0 +1,46 @@
+{ config, pkgs, ... }: {
+
+  services.nginx = {
+    enable = true;
+    appendHttpConfig = ''
+      limit_req_zone $binary_remote_addr zone=blog:10m rate=10r/s;
+    '';
+    virtualHosts."spandrell.ch" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8080";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig = ''
+          limit_req zone=blog burst=20 nodelay;
+          proxy_set_header Host $Host;
+          proxy_set_header Forwarded for=$remote_addr;
+        '';
+      };
+    };
+    virtualHosts."u.spandrell.ch" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8081";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig = ''
+          limit_req zone=blog burst=20 nodelay;
+          proxy_set_header Host $Host;
+          proxy_set_header Forwarded for=$remote_addr;
+        '';
+      };
+    };
+    virtualHosts."s3.spandrell.ch" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:9000";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig = ''
+         proxy_set_header Host $Host;
+        '';
+      };
+    };
+  };
+}
diff --git a/hosts/cloud/spanm/packages.nix b/hosts/cloud/spanm/packages.nix
new file mode 100644
index 0000000..6574071
--- /dev/null
+++ b/hosts/cloud/spanm/packages.nix
@@ -0,0 +1,47 @@
+{ config, pkgs, ... }:
+
+{
+   nixpkgs.config = {
+     allowUnfree = true;
+   };
+
+  environment.systemPackages = with pkgs; [
+    vim
+    helix
+    fish
+    # unix utilities
+    tmux
+    bat # cat replacement written in Rust
+    colordiff
+    direnv # Per-directory environment variables
+    lsd
+    fd # find replacement written in Rust
+    fzf # Fuzzy finder
+    git
+    htop # Resource monitoring
+    jq # JSON parsing for the CLI
+    lsof
+    ripgrep # grep replacement written in Rust
+    sd # Fancy sed replacement
+    silver-searcher
+    strace # debug stack trace
+    tealdeer # tldr for various shell tools
+    testdisk
+    tokei # Handy tool to see lines of code by language
+    watchexec # Fileystem watcher/executor useful for speedy development
+    xsv # CSV file parsing utility
+    just # Intriguing new make replacement
+    mdcat # Markdown converter/reader for the CLI
+    tree
+    unzip
+    zip
+
+    # networking
+    curl
+    wget
+    
+    minio
+    ncdu
+  ];
+}
+
diff --git a/hosts/cloud/spanm/users.nix b/hosts/cloud/spanm/users.nix
new file mode 100644
index 0000000..60e3a5a
--- /dev/null
+++ b/hosts/cloud/spanm/users.nix
@@ -0,0 +1,42 @@
+{ config, pkgs, ... }:
+
+
+let shellAliases = {
+  l = "lsd -lAh";
+  la = "lsd -lAh";
+  ports = "sudo lsof -i -P -n | grep LISTEN";
+  gco = "git checkout";
+  gcob = "git checkout -b";
+};
+
+in {
+  programs.fish = {
+    inherit shellAliases;
+    enable = true;
+  };
+
+  users = {
+    users = {
+      span = {
+        group = "users";
+        isNormalUser = true;
+        extraGroups = [
+          "networkmanager"
+          "systemd-journal"
+          "wheel"
+        ];
+        createHome = true;
+        home = "/home/span";
+        isSystemUser = false;
+        shell = pkgs.fish;
+        openssh.authorizedKeys.keys =
+          [ 
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKD2DxTdE7vekp+BTifuB9gPoIPdaFSGkgVblA5MbTh"
+          ];
+     };
+    };
+  };
+}
+
+
+