From d62b4a82045567776c553811e16691a9faafa086 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kha=C3=AFs=20COLIN?= Date: Sun, 1 Sep 2024 11:59:22 +0200 Subject: [PATCH 01/11] fix(paperless): increase worker timeout for large documents --- paperless.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/paperless.nix b/paperless.nix index 7a81332..69fe53e 100644 --- a/paperless.nix +++ b/paperless.nix @@ -26,6 +26,7 @@ in PAPERLESS_CONSUMER_BARCODE_SCANNER = "ZXING"; PAPERLESS_TASK_WORKERS = "4"; PAPERLESS_THREADS_PER_WORKER = "1"; + PAPERLESS_WORKER_TIMEOUT = "18000"; }; }; users.groups.paperless-upload = {}; From f7d3397b4030643102497501853918a0755bb31d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kha=C3=AFs=20COLIN?= Date: Mon, 2 Sep 2024 11:36:57 +0200 Subject: [PATCH 02/11] fix(vnc): reset keymap to us --- configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration.nix b/configuration.nix index 6086525..94bbd86 100644 --- a/configuration.nix +++ b/configuration.nix @@ -40,6 +40,6 @@ in users.users.root.initialPassword = "asunarovow"; networking.domain = ""; nix.allowedUsers = [ "@wheel" "root" ]; - console.keyMap = "fr"; + console.keyMap = "us"; system.stateVersion = "23.11"; } From cb15994cc6ee063f72734cd1b097fed98fcdfa0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kha=C3=AFs=20COLIN?= Date: Mon, 2 Sep 2024 13:58:20 +0200 Subject: [PATCH 03/11] feat(mailserver): flake setup --- flake.lock | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++- flake.nix | 4 +- 2 files changed, 123 insertions(+), 2 deletions(-) diff --git a/flake.lock b/flake.lock index 3305ce1..5413db9 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,37 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1724316499, @@ -16,9 +48,96 @@ "type": "github" } }, + "nixpkgs-24_05": { + "locked": { + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1717602782, + "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "simple-nixos-mailserver": "simple-nixos-mailserver" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_2", + "nixpkgs-24_05": "nixpkgs-24_05", + "utils": "utils" + }, + "locked": { + "lastModified": 1718084203, + "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-24.05", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 7bbadba..6069e04 100644 --- a/flake.nix +++ b/flake.nix @@ -3,13 +3,15 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; }; - outputs = { self, nixpkgs, ... }: { + outputs = { nixpkgs, simple-nixos-mailserver, ... }: { nixosConfigurations.quasar = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./configuration.nix + simple-nixos-mailserver.nixosModule ]; }; }; From d17dfebff81f41ae2c6d5807defa51968e55800b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kha=C3=AFs=20COLIN?= Date: Mon, 2 Sep 2024 14:06:24 +0200 Subject: [PATCH 04/11] feat(mail): basic config --- configuration.nix | 2 +- mailserver.nix | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 mailserver.nix diff --git a/configuration.nix b/configuration.nix index 94bbd86..dddc5a1 100644 --- a/configuration.nix +++ b/configuration.nix @@ -24,8 +24,8 @@ in ./postgresql.nix (import ./sourcehut.nix { inherit base-domain; }) - (import ./paperless.nix { inherit base-domain lib; }) + (import ./mailserver.nix { inherit base-domain; }) ./userprogs.nix ]; diff --git a/mailserver.nix b/mailserver.nix new file mode 100644 index 0000000..795353c --- /dev/null +++ b/mailserver.nix @@ -0,0 +1,20 @@ +{ base-domain, ... }: +let + fqdn = "mail.${base-domain}"; +in +{ + mailserver = { + enable = true; + inherit fqdn; + domains = [ base-domain ]; + + loginAccounts = { + "khais.colin@${base-domain}" = { + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + hashedPasswordFile = "/etc/nixos/secrets/mailserver/khais.colin.hashpassword"; + }; + }; + + certificateScheme = "acme-nginx"; + }; +} From c751c047f4a740e40ea4f086406c922d379b866b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kha=C3=AFs=20COLIN?= Date: Sat, 31 Aug 2024 19:15:00 +0200 Subject: [PATCH 05/11] feat: enable IPv6 networking --- configuration.nix | 3 +-- networking.nix | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 networking.nix diff --git a/configuration.nix b/configuration.nix index dddc5a1..2576194 100644 --- a/configuration.nix +++ b/configuration.nix @@ -5,6 +5,7 @@ in { lib, ... }: { imports = [ ./hardware-configuration.nix + ./networking.nix ./audit.nix ./openssh.nix @@ -36,9 +37,7 @@ in boot.tmp.cleanOnBoot = true; zramSwap.enable = true; - networking.hostName = "quasar"; users.users.root.initialPassword = "asunarovow"; - networking.domain = ""; nix.allowedUsers = [ "@wheel" "root" ]; console.keyMap = "us"; system.stateVersion = "23.11"; diff --git a/networking.nix b/networking.nix new file mode 100644 index 0000000..a719cda --- /dev/null +++ b/networking.nix @@ -0,0 +1,14 @@ +{ + networking.hostName = "quasar"; + networking.domain = ""; + networking.interfaces.ens18 = { + ipv6.addresses = [{ + address = "2a02:c206:2209:5178:0000:0000:0000:0001"; + prefixLength = 64; + }]; + }; + networking.defaultGateway6 = { + address = "fe80::1"; + interface = "ens18"; + }; +} From db88f75b3484456594b3da3c76b3fb5dea09f67e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kha=C3=AFs=20COLIN?= Date: Fri, 6 Sep 2024 17:48:30 +0200 Subject: [PATCH 06/11] fix(mail): open needed ports --- firewall.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/firewall.nix b/firewall.nix index 8074529..2f3ffbe 100644 --- a/firewall.nix +++ b/firewall.nix @@ -1,8 +1,8 @@ { networking.firewall = { enable = true; - allowedTCPPorts = [ 22 80 443 21 ]; - allowedUDPPorts = [ 22 80 443 ]; + allowedTCPPorts = [ 22 80 443 21 25 465 587 143 993 995 110 ]; + allowedUDPPorts = [ 22 80 443 25 465 587 143 993 995 110 ]; allowedTCPPortRanges = [ # vsftpd passive { From 9767e8e0e4cbfdd1027425a07636ca3f3c6aefec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kha=C3=AFs=20COLIN?= Date: Fri, 6 Sep 2024 18:16:29 +0200 Subject: [PATCH 07/11] fix: disable mailserver for now, wait 1 month and try again --- mailserver.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mailserver.nix b/mailserver.nix index 795353c..a185570 100644 --- a/mailserver.nix +++ b/mailserver.nix @@ -4,7 +4,8 @@ let in { mailserver = { - enable = true; + enable = false; + debug = true; inherit fqdn; domains = [ base-domain ]; From b6f76847a351f08e4e8c92cbeb3a00050300ee16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kha=C3=AFs=20COLIN?= Date: Thu, 3 Oct 2024 14:54:38 +0200 Subject: [PATCH 08/11] feat(syncthing): setup syncthing --- configuration.nix | 1 + firewall.nix | 4 ++-- nginx.nix | 7 +++++++ syncthing.nix | 10 ++++++++++ 4 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 syncthing.nix diff --git a/configuration.nix b/configuration.nix index 2576194..20073cc 100644 --- a/configuration.nix +++ b/configuration.nix @@ -27,6 +27,7 @@ in (import ./sourcehut.nix { inherit base-domain; }) (import ./paperless.nix { inherit base-domain lib; }) (import ./mailserver.nix { inherit base-domain; }) + (import ./syncthing.nix { inherit base-domain; }) ./userprogs.nix ]; diff --git a/firewall.nix b/firewall.nix index 2f3ffbe..9ad7ab3 100644 --- a/firewall.nix +++ b/firewall.nix @@ -1,8 +1,8 @@ { networking.firewall = { enable = true; - allowedTCPPorts = [ 22 80 443 21 25 465 587 143 993 995 110 ]; - allowedUDPPorts = [ 22 80 443 25 465 587 143 993 995 110 ]; + allowedTCPPorts = [ 22 80 443 21 25 465 587 143 993 995 110 22000 ]; + allowedUDPPorts = [ 22 80 443 25 465 587 143 993 995 110 22000 ]; allowedTCPPortRanges = [ # vsftpd passive { diff --git a/nginx.nix b/nginx.nix index 31d5767..a30b407 100644 --- a/nginx.nix +++ b/nginx.nix @@ -26,6 +26,13 @@ proxyPass = "http://localhost:28981"; }; }; + "syncthing.${base-domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://syncthing.${base-domain}:8384"; + }; + }; }; }; } diff --git a/syncthing.nix b/syncthing.nix new file mode 100644 index 0000000..5d099ad --- /dev/null +++ b/syncthing.nix @@ -0,0 +1,10 @@ +{ base-domain, ... }: +let + fqdn = "syncthing.${base-domain}:8384"; +in +{ + services.syncthing = { + enable = true; + guiAddress = fqdn; + }; +} From 9020192203b4cd86022b4f434690793c2dfc334e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kha=C3=AFs=20COLIN?= Date: Tue, 29 Oct 2024 11:05:02 +0100 Subject: [PATCH 09/11] fix(paperless): do not fail to import documents with digital signatures --- paperless.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/paperless.nix b/paperless.nix index 69fe53e..4ca3cb4 100644 --- a/paperless.nix +++ b/paperless.nix @@ -19,6 +19,9 @@ in PAPERLESS_OCR_USER_ARGS = { optimize = 1; pdfa_image_compression = "lossless"; + # do not fail to import documents that have a digital signature + # https://github.com/paperless-ngx/paperless-ngx/discussions/4047#discussioncomment-7019544 + invalidate_digital_signatures = true; }; PAPERLESS_TIME_ZONE = "Europe/Paris"; PAPERLESS_CONSUMER_ENABLE_BARCODES = "true"; From fffa0a4cae7e1516ee28cc614d0d23feee6efe25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kha=C3=AFs=20COLIN?= Date: Thu, 27 Mar 2025 22:27:12 +0100 Subject: [PATCH 10/11] update all flakes --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 5413db9..7fd3990 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1724316499, - "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", + "lastModified": 1735563628, + "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", + "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", "type": "github" }, "original": { @@ -93,11 +93,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1718084203, - "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=", + "lastModified": 1734885828, + "narHash": "sha256-G0fB1YBlkalu8lLGRB07K8CpUWNVd+unfrjNomSL7SM=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b", + "rev": "636b82f4175e3f6b1e80d2189bb0469e2ae01a55", "type": "gitlab" }, "original": { From 6304a4890b1316c809d9e5081fafee880583e6cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kha=C3=AFs=20COLIN?= Date: Thu, 27 Mar 2025 22:49:28 +0100 Subject: [PATCH 11/11] fix: sourcehut did not allow cloning from https --- sourcehut.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sourcehut.nix b/sourcehut.nix index 9d8e4c1..957473c 100644 --- a/sourcehut.nix +++ b/sourcehut.nix @@ -4,6 +4,8 @@ let fqdn = "sourcehut.${base-domain}"; in { + # workaround: https://github.com/NixOS/nixpkgs/issues/317865 + programs.git.config.safe.directory = "*"; services.sourcehut = { enable = true; meta = {