From 0fefd6137a10d23fa8564cbcc62a5bd6215feb9d Mon Sep 17 00:00:00 2001
From: toufic ar <contact@toufy.me>
Date: Thu, 29 Jan 2026 21:45:04 +0200
Subject: [PATCH] config changes

- network: add tor relay + snowflake proxy
- email: regex alias for admin
- search: enable some additional engines
---
 config/configuration.nix      |  2 --
 config/default.nix            |  1 +
 config/devops/forgejo.nix     |  2 +-
 config/http/captiveportal.nix |  2 +-
 config/http/default.nix       |  2 +-
 config/mail/default.nix       | 50 +++++++++++++++++++----------------
 config/network.nix            | 44 ++++++++++++++++++++++++++++++
 config/options.nix            | 26 +++++++++++++++---
 config/search/default.nix     | 18 +++++++++++--
 config/search/engines.nix     | 28 ++++++++++----------
 10 files changed, 128 insertions(+), 47 deletions(-)
 create mode 100644 config/network.nix

diff --git a/config/configuration.nix b/config/configuration.nix
index 3673293..73939a8 100644
--- a/config/configuration.nix
+++ b/config/configuration.nix
@@ -3,8 +3,6 @@
   boot.loader.efi.canTouchEfiVariables = true;
 
   nix.settings.experimental-features = ["nix-command" "flakes"];
-  networking.hostName = "adonis";
-  networking.firewall.logRefusedPackets = true;
 
   customOps.owner = "toufy";
   customOps.domain = "toufy.me";
diff --git a/config/default.nix b/config/default.nix
index ad44d15..965a3a0 100644
--- a/config/default.nix
+++ b/config/default.nix
@@ -3,6 +3,7 @@
     ./disks.nix
     ./hardware-configuration.nix
     ./configuration.nix
+    ./network.nix
     ./options.nix
     ./devops
     ./mail
diff --git a/config/devops/forgejo.nix b/config/devops/forgejo.nix
index 98eceb4..9b9670f 100644
--- a/config/devops/forgejo.nix
+++ b/config/devops/forgejo.nix
@@ -3,7 +3,7 @@
   lib,
   ...
 }: let
-  customDomain = config.customOps.domain;
+  customDomain = config.customOps.domain.fqdn;
   mail = "forgejo@${customDomain}";
   cfg = config.services.forgejo;
   srv = cfg.settings.server;
diff --git a/config/http/captiveportal.nix b/config/http/captiveportal.nix
index 53e06d0..0347107 100644
--- a/config/http/captiveportal.nix
+++ b/config/http/captiveportal.nix
@@ -1,5 +1,5 @@
 {config, ...}: let
-  domain = config.customOps.domain;
+  domain = config.customOps.domain.fqdn;
 in {
   services.nginx.virtualHosts."cpcheck.${domain}" = {
     extraConfig = ''
diff --git a/config/http/default.nix b/config/http/default.nix
index 1d372f6..5d2a529 100644
--- a/config/http/default.nix
+++ b/config/http/default.nix
@@ -1,5 +1,5 @@
 {config, ...}: let
-  customDomain = config.customOps.domain;
+  customDomain = config.customOps.domain.fqdn;
 in {
   imports = [./captiveportal.nix];
 
diff --git a/config/mail/default.nix b/config/mail/default.nix
index c355f32..cfc4463 100644
--- a/config/mail/default.nix
+++ b/config/mail/default.nix
@@ -1,5 +1,7 @@
 {config, ...}: let
-  mailDomain = config.customOps.domain;
+  domainFqdn = config.customOps.domain.fqdn;
+  domainName = config.customOps.domain.name;
+  domainTld = config.customOps.domain.tld;
 in {
   sops.secrets = {
     "mailserver/root".owner = "dovecot2";
@@ -11,13 +13,13 @@ in {
   mailserver = {
     enable = true;
     stateVersion = 3;
-    fqdn = mailDomain;
-    domains = [mailDomain];
+    fqdn = domainFqdn;
+    domains = [domainFqdn];
 
     virusScanning = true;
 
-    systemDomain = mailDomain;
-    systemName = mailDomain;
+    systemDomain = domainFqdn;
+    systemName = domainFqdn;
 
     dmarcReporting.enable = true;
     fullTextSearch.enable = true;
@@ -46,29 +48,31 @@ in {
     };
 
     loginAccounts = {
-      "dmarc@${mailDomain}" = {
+      "dmarc@${domainFqdn}" = {
         hashedPasswordFile = config.sops.secrets."mailserver/dmarc".path;
         aliases = [
-          "rua@${mailDomain}"
-          "ruf@${mailDomain}"
+          "rua@${domainFqdn}"
+          "ruf@${domainFqdn}"
         ];
       };
-      "root@${mailDomain}" = {
+      "root@${domainFqdn}" = {
         hashedPasswordFile = config.sops.secrets."mailserver/root".path;
         aliases = [
-          "postmaster@${mailDomain}"
-          "security@${mailDomain}"
-          "abuse@${mailDomain}"
-          "webmaster@${mailDomain}"
-          "admin@${mailDomain}"
-          "info@${mailDomain}"
-          "support@${mailDomain}"
+          "postmaster@${domainFqdn}"
+          "security@${domainFqdn}"
+          "abuse@${domainFqdn}"
+          "webmaster@${domainFqdn}"
+          "info@${domainFqdn}"
+          "support@${domainFqdn}"
+        ];
+        aliasesRegexp = [
+          "/^admin\\..*@${domainName}\\.${domainTld}$/"
         ];
       };
-      "contact@${mailDomain}" = {
+      "contact@${domainFqdn}" = {
         hashedPasswordFile = config.sops.secrets."mailserver/contact".path;
-        aliases = ["@${mailDomain}"];
-        catchAll = [mailDomain];
+        aliases = ["@${domainFqdn}"];
+        catchAll = [domainFqdn];
       };
     };
     certificateScheme = "acme";
@@ -76,10 +80,10 @@ in {
 
   services.roundcube = {
     enable = true;
-    hostName = "mail.${mailDomain}";
+    hostName = "mail.${domainFqdn}";
     extraConfig = ''
-      $config['imap_host'] = "ssl://${mailDomain}";
-      $config['smtp_host'] = "ssl://${mailDomain}";
+      $config['imap_host'] = "ssl://${domainFqdn}";
+      $config['smtp_host'] = "ssl://${domainFqdn}";
       $config['smtp_user'] = "%u";
       $config['smtp_pass'] = "%p";
     '';
@@ -98,7 +102,7 @@ in {
 
   services.nginx = {
     enable = true;
-    virtualHosts."cal.${mailDomain}" = {
+    virtualHosts."cal.${domainFqdn}" = {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
diff --git a/config/network.nix b/config/network.nix
new file mode 100644
index 0000000..aed28ee
--- /dev/null
+++ b/config/network.nix
@@ -0,0 +1,44 @@
+{config, ...}: let
+  owner = config.customOps.owner;
+  domain = config.customOps.domain.fqdn;
+in {
+  networking.hostName = "adonis";
+  networking.firewall.logRefusedPackets = true;
+
+  services.tor = {
+    enable = true;
+    openFirewall = true;
+    enableGeoIP = false;
+    torsocks.enable = true;
+    client.enable = true;
+
+    relay = {
+      enable = true;
+      role = "relay";
+    };
+
+    settings = {
+      Nickname = "${owner}";
+      ContactInfo = "admin.tor@${domain}";
+
+      ExitRelay = false;
+
+      MaxAdvertisedBandwidth = "100 MB";
+      BandWidthRate = "100 MB";
+      RelayBandwidthRate = "100 MB";
+
+      CookieAuthentication = true;
+      AvoidDiskWrites = 1;
+      HardwareAccel = 0;
+      SafeLogging = 1;
+      NumCPUs = 4;
+
+      ORPort = [9001];
+    };
+  };
+
+  services.snowflake-proxy = {
+    enable = true;
+    capacity = 10;
+  };
+}
diff --git a/config/options.nix b/config/options.nix
index 1db795b..193cd51 100644
--- a/config/options.nix
+++ b/config/options.nix
@@ -1,4 +1,10 @@
-{lib, ...}: {
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.customOps;
+in {
   options = with lib; {
     customOps = mkOption {
       description = "custom options";
@@ -10,8 +16,22 @@
             description = "machine owner username";
           };
           domain = mkOption {
-            type = types.str;
-            default = null;
+            type = types.submodule {
+              options = {
+                name = mkOption {
+                  type = types.str;
+                  default = null;
+                };
+                tld = mkOption {
+                  type = types.str;
+                  default = null;
+                };
+                fqdn = mkOption {
+                  type = types.str;
+                  default = "${cfg.domain.name}.${cfg.domain.tld}";
+                };
+              };
+            };
             description = "machine domain name";
           };
         };
diff --git a/config/search/default.nix b/config/search/default.nix
index 1fec4e5..da8c00d 100644
--- a/config/search/default.nix
+++ b/config/search/default.nix
@@ -1,5 +1,5 @@
 {config, ...}: let
-  searxDomain = "search.${config.customOps.domain}";
+  searxDomain = "search.${config.customOps.domain.fqdn}";
 in {
   imports = [./engines.nix];
 
@@ -24,6 +24,20 @@ in {
       };
     };
 
+    faviconsSettings = {
+      favicons = {
+        cfg_schema = 1;
+        cache = {
+          db_url = "/var/cache/searx/faviconcache.db";
+          HOLD_TIME = 5184000;
+          LIMIT_TOTAL_BYTES = 2147483648;
+          BLOB_MAX_BYTES = 40960;
+          MAINTENANCE_MODE = "auto";
+          MAINTENANCE_PERIOD = 600;
+        };
+      };
+    };
+
     settings = {
       general = {
         debug = false;
@@ -51,7 +65,7 @@ in {
         safe_search = 0;
         autocomplete_min = 2;
         autocomplete = "duckduckgo";
-        favicon_resolver = "";
+        favicon_resolver = "allesedv";
         ban_time_on_fail = 5;
         max_ban_time_on_fail = 120;
       };
diff --git a/config/search/engines.nix b/config/search/engines.nix
index 61f5287..2a1a75d 100644
--- a/config/search/engines.nix
+++ b/config/search/engines.nix
@@ -45,7 +45,6 @@
     "moviepilot".disabled = true;
     "senscritique".disabled = true;
     "geizhals".disabled = true;
-    "duckduckgo weather".disabled = true;
     "openmeteo".disabled = true;
     "fyyd".disabled = true;
     "yummly".disabled = true;
@@ -70,13 +69,6 @@
     "apple app store".disabled = true;
     "goodreads".disabled = true;
     # captcha
-    "mojeek".disabled = true;
-    "mojeek images".disabled = true;
-    "mojeek news".disabled = true;
-    "qwant".disabled = true;
-    "qwant images".disabled = true;
-    "qwant videos".disabled = true;
-    "qwant news".disabled = true;
     "cppreference".disabled = true;
     "lib.rs".disabled = true;
     "sourcehut".disabled = true;
@@ -88,10 +80,6 @@
     "library genesis".disabled = true;
     "openrepos".disabled = true;
     "tokyotoshokan".disabled = true;
-    "startpage".disabled = true;
-    "mulvaddelta".disabled = true;
-    "mulvaddelta brave".disabled = true;
-    "brave".disabled = true;
     # non-free
     "tineye".disabled = true;
     "1x".disabled = true;
@@ -142,22 +130,34 @@
     "seekr images".disabled = true;
     "seekr news".disabled = true;
     "seekr videos".disabled = true;
-    "github".disabled = true;
     # censorship
     "reuters".disabled = true;
     # far-right/disinformation/misinformation
     "bitchute".disabled = true;
     "rumble".disabled = true;
-    "bandcamp".disabled = true;
     # slow
     "crossref".disabled = true;
     "wikidata".disabled = true;
 
     # enabled
     "wiby".disabled = false;
+    "bandcamp".disabled = false;
     "duckduckgo".disabled = false;
+    "startpage".disabled = false;
     "duckduckgo images".disabled = false;
     "duckduckgo videos".disabled = false;
     "duckduckgo news".disabled = false;
+    "duckduckgo weather".disabled = false;
+    "mojeek".disabled = false;
+    "mojeek images".disabled = false;
+    "mojeek news".disabled = false;
+    "qwant".disabled = false;
+    "qwant images".disabled = false;
+    "qwant videos".disabled = false;
+    "qwant news".disabled = false;
+    "github".disabled = false;
+    "mulvaddelta".disabled = false;
+    "mulvaddelta brave".disabled = false;
+    "brave".disabled = false;
   };
 }