blob: 4fe7782e6649bdb27d8be2e3196847fc82636454 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/mail.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/sync/decsync.nix>
<stockholm/lass/2configs/weechat.nix>
<stockholm/lass/2configs/bitlbee.nix>
<stockholm/lass/2configs/muchsync.nix>
<stockholm/lass/2configs/pass.nix>
<stockholm/lass/2configs/git-brain.nix>
<stockholm/lass/2configs/et-server.nix>
<stockholm/lass/2configs/consul.nix>
];
krebs.build.host = config.krebs.hosts.green;
lass.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y";
};
systemd.tmpfiles.rules = [
"d /var/state/lass_mail 0700 lass users -"
"L+ /home/lass/Maildir - - - - ../../var/state/lass_mail"
"d /home/lass/notmuch 0700 lass users -"
"L+ /var/state/lass_mail/.notmuch - - - - /home/lass/notmuch"
"d /var/state/lass_ssh 0700 lass users -"
"L+ /home/lass/.ssh - - - - ../../var/state/lass_ssh"
"d /var/state/lass_gpg 0700 lass users -"
"L+ /home/lass/.gnupg - - - - ../../var/state/lass_gpg"
"d /var/state/lass_sync 0700 lass users -"
"L+ /home/lass/sync - - - - ../../var/state/lass_sync"
"d /var/state/git 0700 git nogroup -"
"L+ /var/lib/git - - - - ../../var/state/git"
];
users.users.mainUser.openssh.authorizedKeys.keys = [
config.krebs.users.lass-android.pubkey
config.krebs.users.lass-tablet.pubkey
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKgpZwye6yavIs3gUIYvSi70spDa0apL2yHR0ASW74z8" # weechat ssh tunnel
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
];
# workaround for ssh access from yubikey via android
services.openssh.extraConfig = ''
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
'';
services.dovecot2 = {
enable = true;
mailLocation = "maildir:~/Maildir";
};
networking.firewall.allowedTCPPorts = [ 143 ];
}
|