toufy/adonis
toufy/adonis
1
Fork 0
Code Activity Actions

config changes
Some checks failed
/ deploy (push) Failing after 8s
Details

Browse source 
- network: add tor relay + snowflake proxy
- email: regex alias for admin
- search: enable some additional engines
This commit is contained in:
toufic ar 2026-01-29 21:45:04 +02:00
parent f9a39222be
commit 0fefd6137a
Signed by: toufic ar
SSH key fingerprint: SHA256:/NaO5I1nG3gYKzrzSiTYIdRyaIYxDWfr1U+d+yfJ/4k
10 changed files with 128 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

2
config/configuration.nix
View file

@ -3,8 +3,6 @@
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings.experimental-features = ["nix-command" "flakes"];
networking.hostName = "adonis";
networking.firewall.logRefusedPackets = true;
customOps.owner = "toufy"; customOps.owner = "toufy";
customOps.domain = "toufy.me"; customOps.domain = "toufy.me";

1
config/default.nix
View file

@ -3,6 +3,7 @@
./disks.nix ./disks.nix
./hardware-configuration.nix ./hardware-configuration.nix
./configuration.nix ./configuration.nix
./network.nix
./options.nix ./options.nix
./devops ./devops
./mail ./mail

2
config/devops/forgejo.nix
View file

@ -3,7 +3,7 @@
lib, lib,
... ...
}: let }: let
customDomain = config.customOps.domain; customDomain = config.customOps.domain.fqdn;
mail = "forgejo@${customDomain}"; mail = "forgejo@${customDomain}";
cfg = config.services.forgejo; cfg = config.services.forgejo;
srv = cfg.settings.server; srv = cfg.settings.server;

2
config/http/captiveportal.nix
View file

@ -1,5 +1,5 @@
{config, ...}: let {config, ...}: let
domain = config.customOps.domain; domain = config.customOps.domain.fqdn;
in { in {
services.nginx.virtualHosts."cpcheck.${domain}" = { services.nginx.virtualHosts."cpcheck.${domain}" = {
extraConfig = '' extraConfig = ''

2
config/http/default.nix
View file

@ -1,5 +1,5 @@
{config, ...}: let {config, ...}: let
customDomain = config.customOps.domain; customDomain = config.customOps.domain.fqdn;
in { in {
imports = [./captiveportal.nix]; imports = [./captiveportal.nix];

50
config/mail/default.nix
View file

@ -1,5 +1,7 @@
{config, ...}: let {config, ...}: let
mailDomain = config.customOps.domain; domainFqdn = config.customOps.domain.fqdn;
domainName = config.customOps.domain.name;
domainTld = config.customOps.domain.tld;
in { in {
sops.secrets = { sops.secrets = {
"mailserver/root".owner = "dovecot2"; "mailserver/root".owner = "dovecot2";
@ -11,13 +13,13 @@ in {
mailserver = { mailserver = {
enable = true; enable = true;
stateVersion = 3; stateVersion = 3;
fqdn = mailDomain; fqdn = domainFqdn;
domains = [mailDomain]; domains = [domainFqdn];
virusScanning = true; virusScanning = true;
systemDomain = mailDomain; systemDomain = domainFqdn;
systemName = mailDomain; systemName = domainFqdn;
dmarcReporting.enable = true; dmarcReporting.enable = true;
fullTextSearch.enable = true; fullTextSearch.enable = true;
@ -46,29 +48,31 @@ in {
}; };
loginAccounts = { loginAccounts = {
"dmarc@${mailDomain}" = { "dmarc@${domainFqdn}" = {
hashedPasswordFile = config.sops.secrets."mailserver/dmarc".path; hashedPasswordFile = config.sops.secrets."mailserver/dmarc".path;
aliases = [ aliases = [
"rua@${mailDomain}" "rua@${domainFqdn}"
"ruf@${mailDomain}" "ruf@${domainFqdn}"
]; ];
}; };
"root@${mailDomain}" = { "root@${domainFqdn}" = {
hashedPasswordFile = config.sops.secrets."mailserver/root".path; hashedPasswordFile = config.sops.secrets."mailserver/root".path;
aliases = [ aliases = [
"postmaster@${mailDomain}" "postmaster@${domainFqdn}"
"security@${mailDomain}" "security@${domainFqdn}"
"abuse@${mailDomain}" "abuse@${domainFqdn}"
"webmaster@${mailDomain}" "webmaster@${domainFqdn}"
"admin@${mailDomain}" "info@${domainFqdn}"
"info@${mailDomain}" "support@${domainFqdn}"
"support@${mailDomain}" ];
aliasesRegexp = [
"/^admin\\..*@${domainName}\\.${domainTld}$/"
]; ];
}; };
"contact@${mailDomain}" = { "contact@${domainFqdn}" = {
hashedPasswordFile = config.sops.secrets."mailserver/contact".path; hashedPasswordFile = config.sops.secrets."mailserver/contact".path;
aliases = ["@${mailDomain}"]; aliases = ["@${domainFqdn}"];
catchAll = [mailDomain]; catchAll = [domainFqdn];
}; };
}; };
certificateScheme = "acme"; certificateScheme = "acme";
@ -76,10 +80,10 @@ in {
services.roundcube = { services.roundcube = {
enable = true; enable = true;
hostName = "mail.${mailDomain}"; hostName = "mail.${domainFqdn}";
extraConfig = '' extraConfig = ''
$config['imap_host'] = "ssl://${mailDomain}"; $config['imap_host'] = "ssl://${domainFqdn}";
$config['smtp_host'] = "ssl://${mailDomain}"; $config['smtp_host'] = "ssl://${domainFqdn}";
$config['smtp_user'] = "%u"; $config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p"; $config['smtp_pass'] = "%p";
''; '';
@ -98,7 +102,7 @@ in {
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."cal.${mailDomain}" = { virtualHosts."cal.${domainFqdn}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {

44
config/network.nix Normal file
View file

@ -0,0 +1,44 @@
{config, ...}: let
owner = config.customOps.owner;
domain = config.customOps.domain.fqdn;
in {
networking.hostName = "adonis";
networking.firewall.logRefusedPackets = true;
services.tor = {
enable = true;
openFirewall = true;
enableGeoIP = false;
torsocks.enable = true;
client.enable = true;
relay = {
enable = true;
role = "relay";
};
settings = {
Nickname = "${owner}";
ContactInfo = "admin.tor@${domain}";
ExitRelay = false;
MaxAdvertisedBandwidth = "100 MB";
BandWidthRate = "100 MB";
RelayBandwidthRate = "100 MB";
CookieAuthentication = true;
AvoidDiskWrites = 1;
HardwareAccel = 0;
SafeLogging = 1;
NumCPUs = 4;
ORPort = [9001];
};
};
services.snowflake-proxy = {
enable = true;
capacity = 10;
};
}

22
config/options.nix
View file

@ -1,4 +1,10 @@
{lib, ...}: { {
lib,
config,
...
}: let
cfg = config.customOps;
in {
options = with lib; { options = with lib; {
customOps = mkOption { customOps = mkOption {
description = "custom options"; description = "custom options";
@ -10,8 +16,22 @@
description = "machine owner username"; description = "machine owner username";
}; };
domain = mkOption { domain = mkOption {
type = types.submodule {
options = {
name = mkOption {
type = types.str; type = types.str;
default = null; default = null;
};
tld = mkOption {
type = types.str;
default = null;
};
fqdn = mkOption {
type = types.str;
default = "${cfg.domain.name}.${cfg.domain.tld}";
};
};
};
description = "machine domain name"; description = "machine domain name";
}; };
}; };

18
config/search/default.nix
View file

@ -1,5 +1,5 @@
{config, ...}: let {config, ...}: let
searxDomain = "search.${config.customOps.domain}"; searxDomain = "search.${config.customOps.domain.fqdn}";
in { in {
imports = [./engines.nix]; imports = [./engines.nix];
@ -24,6 +24,20 @@ in {
}; };
}; };
faviconsSettings = {
favicons = {
cfg_schema = 1;
cache = {
db_url = "/var/cache/searx/faviconcache.db";
HOLD_TIME = 5184000;
LIMIT_TOTAL_BYTES = 2147483648;
BLOB_MAX_BYTES = 40960;
MAINTENANCE_MODE = "auto";
MAINTENANCE_PERIOD = 600;
};
};
};
settings = { settings = {
general = { general = {
debug = false; debug = false;
@ -51,7 +65,7 @@ in {
safe_search = 0; safe_search = 0;
autocomplete_min = 2; autocomplete_min = 2;
autocomplete = "duckduckgo"; autocomplete = "duckduckgo";
favicon_resolver = ""; favicon_resolver = "allesedv";
ban_time_on_fail = 5; ban_time_on_fail = 5;
max_ban_time_on_fail = 120; max_ban_time_on_fail = 120;
}; };

28
config/search/engines.nix
View file

@ -45,7 +45,6 @@
"moviepilot".disabled = true; "moviepilot".disabled = true;
"senscritique".disabled = true; "senscritique".disabled = true;
"geizhals".disabled = true; "geizhals".disabled = true;
"duckduckgo weather".disabled = true;
"openmeteo".disabled = true; "openmeteo".disabled = true;
"fyyd".disabled = true; "fyyd".disabled = true;
"yummly".disabled = true; "yummly".disabled = true;
@ -70,13 +69,6 @@
"apple app store".disabled = true; "apple app store".disabled = true;
"goodreads".disabled = true; "goodreads".disabled = true;
# captcha # captcha
"mojeek".disabled = true;
"mojeek images".disabled = true;
"mojeek news".disabled = true;
"qwant".disabled = true;
"qwant images".disabled = true;
"qwant videos".disabled = true;
"qwant news".disabled = true;
"cppreference".disabled = true; "cppreference".disabled = true;
"lib.rs".disabled = true; "lib.rs".disabled = true;
"sourcehut".disabled = true; "sourcehut".disabled = true;
@ -88,10 +80,6 @@
"library genesis".disabled = true; "library genesis".disabled = true;
"openrepos".disabled = true; "openrepos".disabled = true;
"tokyotoshokan".disabled = true; "tokyotoshokan".disabled = true;
"startpage".disabled = true;
"mulvaddelta".disabled = true;
"mulvaddelta brave".disabled = true;
"brave".disabled = true;
# non-free # non-free
"tineye".disabled = true; "tineye".disabled = true;
"1x".disabled = true; "1x".disabled = true;
@ -142,22 +130,34 @@
"seekr images".disabled = true; "seekr images".disabled = true;
"seekr news".disabled = true; "seekr news".disabled = true;
"seekr videos".disabled = true; "seekr videos".disabled = true;
"github".disabled = true;
# censorship # censorship
"reuters".disabled = true; "reuters".disabled = true;
# far-right/disinformation/misinformation # far-right/disinformation/misinformation
"bitchute".disabled = true; "bitchute".disabled = true;
"rumble".disabled = true; "rumble".disabled = true;
"bandcamp".disabled = true;
# slow # slow
"crossref".disabled = true; "crossref".disabled = true;
"wikidata".disabled = true; "wikidata".disabled = true;
# enabled # enabled
"wiby".disabled = false; "wiby".disabled = false;
"bandcamp".disabled = false;
"duckduckgo".disabled = false; "duckduckgo".disabled = false;
"startpage".disabled = false;
"duckduckgo images".disabled = false; "duckduckgo images".disabled = false;
"duckduckgo videos".disabled = false; "duckduckgo videos".disabled = false;
"duckduckgo news".disabled = false; "duckduckgo news".disabled = false;
"duckduckgo weather".disabled = false;
"mojeek".disabled = false;
"mojeek images".disabled = false;
"mojeek news".disabled = false;
"qwant".disabled = false;
"qwant images".disabled = false;
"qwant videos".disabled = false;
"qwant news".disabled = false;
"github".disabled = false;
"mulvaddelta".disabled = false;
"mulvaddelta brave".disabled = false;
"brave".disabled = false;
}; };
} }