config changes

- network: add tor relay + snowflake proxy - email: regex alias for admin - search: enable some additional engines
2026-01-29 21:45:04 +02:00 · 2026-01-29 21:45:04 +02:00 · 0fefd6137a
commit 0fefd6137a
parent f9a39222be
10 changed files with 128 additions and 47 deletions
--- a/config/configuration.nix
+++ b/config/configuration.nix
@ -3,8 +3,6 @@
  boot.loader.efi.canTouchEfiVariables = true;

  nix.settings.experimental-features = ["nix-command" "flakes"];
-  networking.hostName = "adonis";
-  networking.firewall.logRefusedPackets = true;

  customOps.owner = "toufy";
  customOps.domain = "toufy.me";
--- a/config/default.nix
+++ b/config/default.nix
@ -3,6 +3,7 @@
    ./disks.nix
    ./hardware-configuration.nix
    ./configuration.nix
+    ./network.nix
    ./options.nix
    ./devops
    ./mail
--- a/config/devops/forgejo.nix
+++ b/config/devops/forgejo.nix
@ -3,7 +3,7 @@
  lib,
  ...
 }: let
-  customDomain = config.customOps.domain;
+  customDomain = config.customOps.domain.fqdn;
  mail = "forgejo@${customDomain}";
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
--- a/config/http/captiveportal.nix
+++ b/config/http/captiveportal.nix
@ -1,5 +1,5 @@
 {config, ...}: let
-  domain = config.customOps.domain;
+  domain = config.customOps.domain.fqdn;
 in {
  services.nginx.virtualHosts."cpcheck.${domain}" = {
    extraConfig = ''
--- a/config/http/default.nix
+++ b/config/http/default.nix
@ -1,5 +1,5 @@
 {config, ...}: let
-  customDomain = config.customOps.domain;
+  customDomain = config.customOps.domain.fqdn;
 in {
  imports = [./captiveportal.nix];

--- a/config/mail/default.nix
+++ b/config/mail/default.nix
@ -1,5 +1,7 @@
 {config, ...}: let
-  mailDomain = config.customOps.domain;
+  domainFqdn = config.customOps.domain.fqdn;
+  domainName = config.customOps.domain.name;
+  domainTld = config.customOps.domain.tld;
 in {
  sops.secrets = {
    "mailserver/root".owner = "dovecot2";
@ -11,13 +13,13 @@ in {
  mailserver = {
    enable = true;
    stateVersion = 3;
-    fqdn = mailDomain;
-    domains = [mailDomain];
+    fqdn = domainFqdn;
+    domains = [domainFqdn];

    virusScanning = true;

-    systemDomain = mailDomain;
-    systemName = mailDomain;
+    systemDomain = domainFqdn;
+    systemName = domainFqdn;

    dmarcReporting.enable = true;
    fullTextSearch.enable = true;
@ -46,29 +48,31 @@ in {
    };

    loginAccounts = {
-      "dmarc@${mailDomain}" = {
+      "dmarc@${domainFqdn}" = {
        hashedPasswordFile = config.sops.secrets."mailserver/dmarc".path;
        aliases = [
-          "rua@${mailDomain}"
-          "ruf@${mailDomain}"
+          "rua@${domainFqdn}"
+          "ruf@${domainFqdn}"
        ];
      };
-      "root@${mailDomain}" = {
+      "root@${domainFqdn}" = {
        hashedPasswordFile = config.sops.secrets."mailserver/root".path;
        aliases = [
-          "postmaster@${mailDomain}"
-          "security@${mailDomain}"
-          "abuse@${mailDomain}"
-          "webmaster@${mailDomain}"
-          "admin@${mailDomain}"
-          "info@${mailDomain}"
-          "support@${mailDomain}"
+          "postmaster@${domainFqdn}"
+          "security@${domainFqdn}"
+          "abuse@${domainFqdn}"
+          "webmaster@${domainFqdn}"
+          "info@${domainFqdn}"
+          "support@${domainFqdn}"
+        ];
+        aliasesRegexp = [
+          "/^admin\\..*@${domainName}\\.${domainTld}$/"
        ];
      };
-      "contact@${mailDomain}" = {
+      "contact@${domainFqdn}" = {
        hashedPasswordFile = config.sops.secrets."mailserver/contact".path;
-        aliases = ["@${mailDomain}"];
-        catchAll = [mailDomain];
+        aliases = ["@${domainFqdn}"];
+        catchAll = [domainFqdn];
      };
    };
    certificateScheme = "acme";
@ -76,10 +80,10 @@ in {

  services.roundcube = {
    enable = true;
-    hostName = "mail.${mailDomain}";
+    hostName = "mail.${domainFqdn}";
    extraConfig = ''
-      $config['imap_host'] = "ssl://${mailDomain}";
-      $config['smtp_host'] = "ssl://${mailDomain}";
+      $config['imap_host'] = "ssl://${domainFqdn}";
+      $config['smtp_host'] = "ssl://${domainFqdn}";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
    '';
@ -98,7 +102,7 @@ in {

  services.nginx = {
    enable = true;
-    virtualHosts."cal.${mailDomain}" = {
+    virtualHosts."cal.${domainFqdn}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
--- a/config/network.nix
+++ b/config/network.nix
@ -0,0 +1,44 @@
+{config, ...}: let
+  owner = config.customOps.owner;
+  domain = config.customOps.domain.fqdn;
+in {
+  networking.hostName = "adonis";
+  networking.firewall.logRefusedPackets = true;
+
+  services.tor = {
+    enable = true;
+    openFirewall = true;
+    enableGeoIP = false;
+    torsocks.enable = true;
+    client.enable = true;
+
+    relay = {
+      enable = true;
+      role = "relay";
+    };
+
+    settings = {
+      Nickname = "${owner}";
+      ContactInfo = "admin.tor@${domain}";
+
+      ExitRelay = false;
+
+      MaxAdvertisedBandwidth = "100 MB";
+      BandWidthRate = "100 MB";
+      RelayBandwidthRate = "100 MB";
+
+      CookieAuthentication = true;
+      AvoidDiskWrites = 1;
+      HardwareAccel = 0;
+      SafeLogging = 1;
+      NumCPUs = 4;
+
+      ORPort = [9001];
+    };
+  };
+
+  services.snowflake-proxy = {
+    enable = true;
+    capacity = 10;
+  };
+}
--- a/config/options.nix
+++ b/config/options.nix
@ -1,4 +1,10 @@
-{lib, ...}: {
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.customOps;
+in {
  options = with lib; {
    customOps = mkOption {
      description = "custom options";
@ -10,8 +16,22 @@
            description = "machine owner username";
          };
          domain = mkOption {
+            type = types.submodule {
+              options = {
+                name = mkOption {
                  type = types.str;
                  default = null;
+                };
+                tld = mkOption {
+                  type = types.str;
+                  default = null;
+                };
+                fqdn = mkOption {
+                  type = types.str;
+                  default = "${cfg.domain.name}.${cfg.domain.tld}";
+                };
+              };
+            };
            description = "machine domain name";
          };
        };
--- a/config/search/default.nix
+++ b/config/search/default.nix
@ -1,5 +1,5 @@
 {config, ...}: let
-  searxDomain = "search.${config.customOps.domain}";
+  searxDomain = "search.${config.customOps.domain.fqdn}";
 in {
  imports = [./engines.nix];

@ -24,6 +24,20 @@ in {
      };
    };

+    faviconsSettings = {
+      favicons = {
+        cfg_schema = 1;
+        cache = {
+          db_url = "/var/cache/searx/faviconcache.db";
+          HOLD_TIME = 5184000;
+          LIMIT_TOTAL_BYTES = 2147483648;
+          BLOB_MAX_BYTES = 40960;
+          MAINTENANCE_MODE = "auto";
+          MAINTENANCE_PERIOD = 600;
+        };
+      };
+    };
+
    settings = {
      general = {
        debug = false;
@ -51,7 +65,7 @@ in {
        safe_search = 0;
        autocomplete_min = 2;
        autocomplete = "duckduckgo";
-        favicon_resolver = "";
+        favicon_resolver = "allesedv";
        ban_time_on_fail = 5;
        max_ban_time_on_fail = 120;
      };
--- a/config/search/engines.nix
+++ b/config/search/engines.nix
@ -45,7 +45,6 @@
    "moviepilot".disabled = true;
    "senscritique".disabled = true;
    "geizhals".disabled = true;
-    "duckduckgo weather".disabled = true;
    "openmeteo".disabled = true;
    "fyyd".disabled = true;
    "yummly".disabled = true;
@ -70,13 +69,6 @@
    "apple app store".disabled = true;
    "goodreads".disabled = true;
    # captcha
-    "mojeek".disabled = true;
-    "mojeek images".disabled = true;
-    "mojeek news".disabled = true;
-    "qwant".disabled = true;
-    "qwant images".disabled = true;
-    "qwant videos".disabled = true;
-    "qwant news".disabled = true;
    "cppreference".disabled = true;
    "lib.rs".disabled = true;
    "sourcehut".disabled = true;
@ -88,10 +80,6 @@
    "library genesis".disabled = true;
    "openrepos".disabled = true;
    "tokyotoshokan".disabled = true;
-    "startpage".disabled = true;
-    "mulvaddelta".disabled = true;
-    "mulvaddelta brave".disabled = true;
-    "brave".disabled = true;
    # non-free
    "tineye".disabled = true;
    "1x".disabled = true;
@ -142,22 +130,34 @@
    "seekr images".disabled = true;
    "seekr news".disabled = true;
    "seekr videos".disabled = true;
-    "github".disabled = true;
    # censorship
    "reuters".disabled = true;
    # far-right/disinformation/misinformation
    "bitchute".disabled = true;
    "rumble".disabled = true;
-    "bandcamp".disabled = true;
    # slow
    "crossref".disabled = true;
    "wikidata".disabled = true;

    # enabled
    "wiby".disabled = false;
+    "bandcamp".disabled = false;
    "duckduckgo".disabled = false;
+    "startpage".disabled = false;
    "duckduckgo images".disabled = false;
    "duckduckgo videos".disabled = false;
    "duckduckgo news".disabled = false;
+    "duckduckgo weather".disabled = false;
+    "mojeek".disabled = false;
+    "mojeek images".disabled = false;
+    "mojeek news".disabled = false;
+    "qwant".disabled = false;
+    "qwant images".disabled = false;
+    "qwant videos".disabled = false;
+    "qwant news".disabled = false;
+    "github".disabled = false;
+    "mulvaddelta".disabled = false;
+    "mulvaddelta brave".disabled = false;
+    "brave".disabled = false;
  };
 }