toufy/adonis
toufy/adonis
1
Fork 0
Code Activity Actions

config changes
Some checks failed
/ deploy (push) Failing after 8s
Details

Browse source 
- network: add tor relay + snowflake proxy
- email: regex alias for admin
- search: enable some additional engines
This commit is contained in:
toufic ar 2026-01-29 21:45:04 +02:00
parent f9a39222be
commit 0fefd6137a
Signed by: toufic ar
SSH key fingerprint: SHA256:/NaO5I1nG3gYKzrzSiTYIdRyaIYxDWfr1U+d+yfJ/4k
10 changed files with 128 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

2
config/configuration.nix
View file

@ -3,8 +3,6 @@
boot.loader.efi.canTouchEfiVariables = true;
nix.settings.experimental-features = ["nix-command" "flakes"];
networking.hostName = "adonis";
networking.firewall.logRefusedPackets = true;
customOps.owner = "toufy";
customOps.domain = "toufy.me";

1
config/default.nix
View file

@ -3,6 +3,7 @@
./disks.nix
./hardware-configuration.nix
./configuration.nix
./network.nix
./options.nix
./devops
./mail

2
config/devops/forgejo.nix
View file

@ -3,7 +3,7 @@
lib,
...
}: let
customDomain = config.customOps.domain;
customDomain = config.customOps.domain.fqdn;
mail = "forgejo@${customDomain}";
cfg = config.services.forgejo;
srv = cfg.settings.server;

2
config/http/captiveportal.nix
View file

@ -1,5 +1,5 @@
{config, ...}: let
domain = config.customOps.domain;
domain = config.customOps.domain.fqdn;
in {
services.nginx.virtualHosts."cpcheck.${domain}" = {
extraConfig = ''

2
config/http/default.nix
View file

@ -1,5 +1,5 @@
{config, ...}: let
customDomain = config.customOps.domain;
customDomain = config.customOps.domain.fqdn;
in {
imports = [./captiveportal.nix];

50
config/mail/default.nix
View file

@ -1,5 +1,7 @@
{config, ...}: let
mailDomain = config.customOps.domain;
domainFqdn = config.customOps.domain.fqdn;
domainName = config.customOps.domain.name;
domainTld = config.customOps.domain.tld;
in {
sops.secrets = {
"mailserver/root".owner = "dovecot2";
@ -11,13 +13,13 @@ in {
mailserver = {
enable = true;
stateVersion = 3;
fqdn = mailDomain;
domains = [mailDomain];
fqdn = domainFqdn;
domains = [domainFqdn];
virusScanning = true;
systemDomain = mailDomain;
systemName = mailDomain;
systemDomain = domainFqdn;
systemName = domainFqdn;
dmarcReporting.enable = true;
fullTextSearch.enable = true;
@ -46,29 +48,31 @@ in {
};
loginAccounts = {
"dmarc@${mailDomain}" = {
"dmarc@${domainFqdn}" = {
hashedPasswordFile = config.sops.secrets."mailserver/dmarc".path;
aliases = [
"rua@${mailDomain}"
"ruf@${mailDomain}"
"rua@${domainFqdn}"
"ruf@${domainFqdn}"
];
};
"root@${mailDomain}" = {
"root@${domainFqdn}" = {
hashedPasswordFile = config.sops.secrets."mailserver/root".path;
aliases = [
"postmaster@${mailDomain}"
"security@${mailDomain}"
"abuse@${mailDomain}"
"webmaster@${mailDomain}"
"admin@${mailDomain}"
"info@${mailDomain}"
"support@${mailDomain}"
"postmaster@${domainFqdn}"
"security@${domainFqdn}"
"abuse@${domainFqdn}"
"webmaster@${domainFqdn}"
"info@${domainFqdn}"
"support@${domainFqdn}"
];
aliasesRegexp = [
"/^admin\\..*@${domainName}\\.${domainTld}$/"
];
};
"contact@${mailDomain}" = {
"contact@${domainFqdn}" = {
hashedPasswordFile = config.sops.secrets."mailserver/contact".path;
aliases = ["@${mailDomain}"];
catchAll = [mailDomain];
aliases = ["@${domainFqdn}"];
catchAll = [domainFqdn];
};
};
certificateScheme = "acme";
@ -76,10 +80,10 @@ in {
services.roundcube = {
enable = true;
hostName = "mail.${mailDomain}";
hostName = "mail.${domainFqdn}";
extraConfig = ''
$config['imap_host'] = "ssl://${mailDomain}";
$config['smtp_host'] = "ssl://${mailDomain}";
$config['imap_host'] = "ssl://${domainFqdn}";
$config['smtp_host'] = "ssl://${domainFqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
@ -98,7 +102,7 @@ in {
services.nginx = {
enable = true;
virtualHosts."cal.${mailDomain}" = {
virtualHosts."cal.${domainFqdn}" = {
forceSSL = true;
enableACME = true;
locations."/" = {

44
config/network.nix Normal file
View file

@ -0,0 +1,44 @@
{config, ...}: let
owner = config.customOps.owner;
domain = config.customOps.domain.fqdn;
in {
networking.hostName = "adonis";
networking.firewall.logRefusedPackets = true;
services.tor = {
enable = true;
openFirewall = true;
enableGeoIP = false;
torsocks.enable = true;
client.enable = true;
relay = {
enable = true;
role = "relay";
};
settings = {
Nickname = "${owner}";
ContactInfo = "admin.tor@${domain}";
ExitRelay = false;
MaxAdvertisedBandwidth = "100 MB";
BandWidthRate = "100 MB";
RelayBandwidthRate = "100 MB";
CookieAuthentication = true;
AvoidDiskWrites = 1;
HardwareAccel = 0;
SafeLogging = 1;
NumCPUs = 4;
ORPort = [9001];
};
};
services.snowflake-proxy = {
enable = true;
capacity = 10;
};
}

26
config/options.nix
View file

@ -1,4 +1,10 @@
{lib, ...}: {
{
lib,
config,
...
}: let
cfg = config.customOps;
in {
options = with lib; {
customOps = mkOption {
description = "custom options";
@ -10,8 +16,22 @@
description = "machine owner username";
};
domain = mkOption {
type = types.str;
default = null;
type = types.submodule {
options = {
name = mkOption {
type = types.str;
default = null;
};
tld = mkOption {
type = types.str;
default = null;
};
fqdn = mkOption {
type = types.str;
default = "${cfg.domain.name}.${cfg.domain.tld}";
};
};
};
description = "machine domain name";
};
};

18
config/search/default.nix
View file

@ -1,5 +1,5 @@
{config, ...}: let
searxDomain = "search.${config.customOps.domain}";
searxDomain = "search.${config.customOps.domain.fqdn}";
in {
imports = [./engines.nix];
@ -24,6 +24,20 @@ in {
};
};
faviconsSettings = {
favicons = {
cfg_schema = 1;
cache = {
db_url = "/var/cache/searx/faviconcache.db";
HOLD_TIME = 5184000;
LIMIT_TOTAL_BYTES = 2147483648;
BLOB_MAX_BYTES = 40960;
MAINTENANCE_MODE = "auto";
MAINTENANCE_PERIOD = 600;
};
};
};
settings = {
general = {
debug = false;
@ -51,7 +65,7 @@ in {
safe_search = 0;
autocomplete_min = 2;
autocomplete = "duckduckgo";
favicon_resolver = "";
favicon_resolver = "allesedv";
ban_time_on_fail = 5;
max_ban_time_on_fail = 120;
};

28
config/search/engines.nix
View file

@ -45,7 +45,6 @@
"moviepilot".disabled = true;
"senscritique".disabled = true;
"geizhals".disabled = true;
"duckduckgo weather".disabled = true;
"openmeteo".disabled = true;
"fyyd".disabled = true;
"yummly".disabled = true;
@ -70,13 +69,6 @@
"apple app store".disabled = true;
"goodreads".disabled = true;
# captcha
"mojeek".disabled = true;
"mojeek images".disabled = true;
"mojeek news".disabled = true;
"qwant".disabled = true;
"qwant images".disabled = true;
"qwant videos".disabled = true;
"qwant news".disabled = true;
"cppreference".disabled = true;
"lib.rs".disabled = true;
"sourcehut".disabled = true;
@ -88,10 +80,6 @@
"library genesis".disabled = true;
"openrepos".disabled = true;
"tokyotoshokan".disabled = true;
"startpage".disabled = true;
"mulvaddelta".disabled = true;
"mulvaddelta brave".disabled = true;
"brave".disabled = true;
# non-free
"tineye".disabled = true;
"1x".disabled = true;
@ -142,22 +130,34 @@
"seekr images".disabled = true;
"seekr news".disabled = true;
"seekr videos".disabled = true;
"github".disabled = true;
# censorship
"reuters".disabled = true;
# far-right/disinformation/misinformation
"bitchute".disabled = true;
"rumble".disabled = true;
"bandcamp".disabled = true;
# slow
"crossref".disabled = true;
"wikidata".disabled = true;
# enabled
"wiby".disabled = false;
"bandcamp".disabled = false;
"duckduckgo".disabled = false;
"startpage".disabled = false;
"duckduckgo images".disabled = false;
"duckduckgo videos".disabled = false;
"duckduckgo news".disabled = false;
"duckduckgo weather".disabled = false;
"mojeek".disabled = false;
"mojeek images".disabled = false;
"mojeek news".disabled = false;
"qwant".disabled = false;
"qwant images".disabled = false;
"qwant videos".disabled = false;
"qwant news".disabled = false;
"github".disabled = false;
"mulvaddelta".disabled = false;
"mulvaddelta brave".disabled = false;
"brave".disabled = false;
};
}