Aliasvault

systems/x86_64-linux/stargate/duckdns.nix

@@ -17,14 +17,20 @@
   systemd.services."duckdns" = {
     script = let
       duckdns = pkgs.writeShellScriptBin "duckdns" ''
-        TOKEN=$(${pkgs.coreutils}/bin/cat ${config.sops.secrets."duckdns".path})
-        REALV6=$(${pkgs.iproute2}/bin/ip -6 addr show dev enp3s0 scope global \
-         | ${pkgs.gawk}/bin/awk '/inet6 2/{print $2}' \
-         | ${pkgs.coreutils}/bin/cut -d/ -f1 \
-         | ${pkgs.gnugrep}/bin/grep -E 'f9c4$' \
-         | ${pkgs.coreutils}/bin/head -n1)
-        REALV4=$(${pkgs.curl}/bin/curl -s https://ifconfig.me --ipv4)
-        ${pkgs.coreutils}/bin/echo url="https://www.duckdns.org/update?domains=kylekrein&token=$TOKEN&ipv6=$REALV6&ip=$REALV4" | ${pkgs.curl}/bin/curl -k -K -
+                TOKEN=$(${pkgs.coreutils}/bin/cat ${config.sops.secrets."duckdns".path})
+                REALV6=$(${pkgs.iproute2}/bin/ip -6 addr show dev enp3s0 scope global \
+                 | ${pkgs.gawk}/bin/awk '/inet6 2/{print $2}' \
+                 | ${pkgs.coreutils}/bin/cut -d/ -f1 \
+                 | ${pkgs.gnugrep}/bin/grep -E 'f9c4$' \
+                 | ${pkgs.coreutils}/bin/head -n1)
+                REALV4=$(${pkgs.curl}/bin/curl -s https://ifconfig.me --ipv4)
+                ${pkgs.coreutils}/bin/echo url="https://www.duckdns.org/update?domains=kylekrein&token=$TOKEN&ipv6=$REALV6&ip=$REALV4" | ${pkgs.curl}/bin/curl -k -K -
+
+        ${pkgs.coreutils}/bin/mkdir -p /etc/fail2ban/jail.d
+        ${pkgs.coreutils}/bin/cat > /etc/fail2ban/jail.d/duckdns-ignore.local <<EOF
+        [DEFAULT]
+        ignoreip = 127.0.0.1/8 ::1 192.168.178.1/24 $REALV4 $REALV6
+        EOF
       '';
     in ''
       set -eu

systems/x86_64-linux/stargate/services/aliasvault.nix

@@ -0,0 +1,60 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  systemd.tmpfiles.rules = [
+    # format: type path mode uid gid age argument
+    "d /var/lib/aliasvault 0750 100 102 - -"
+    "d /var/lib/aliasvault/database 0700 100 102 - -"
+    "d /var/lib/aliasvault/logs 0750 100 102 - -"
+    "d /var/lib/aliasvault/secrets 0750 100 102 - -"
+  ];
+  # Подман
+  virtualisation.podman.enable = true;
+  virtualisation.oci-containers.backend = "podman";
+
+  virtualisation.oci-containers.containers.aliasvault = {
+    image = "ghcr.io/aliasvault/aliasvault:latest";
+    autoStart = true;
+
+    ports = [
+      "127.0.0.1:8086:80"
+      "127.0.0.1:8444:443"
+      "127.0.0.1:2525:25"
+      "127.0.0.1:5877:587"
+    ];
+
+    volumes = [
+      "/var/lib/aliasvault/database:/database:rw"
+      "/var/lib/aliasvault/logs:/logs:rw"
+      "/var/lib/aliasvault/secrets:/secrets:rw"
+    ];
+
+    environment = {
+      HOSTNAME = "pass.kylekrein.com";
+      PUBLIC_REGISTRATION_ENABLED = "false";
+      IP_LOGGING_ENABLED = "true";
+      FORCE_HTTPS_REDIRECT = "false"; # SSL делаем на nginx
+      SUPPORT_EMAIL = "";
+      PRIVATE_EMAIL_DOMAINS = "notthebees.org";
+    };
+  };
+
+  # Nginx
+  services.nginx.virtualHosts."pass.kylekrein.com" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations = {
+      "/" = {
+        proxyPass = "http://localhost:8086/";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  # Firewall
+  networking.firewall.allowedTCPPorts = [80 443 587 25];
+}

systems/x86_64-linux/stargate/services/fail2ban.nix

@@ -8,7 +8,7 @@
     "fail2ban/action.d/ntfy.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
       [Definition]
       norestored = true # Needed to avoid receiving a new notification after every restart
-      actionban = echo "<ip> has been banned: <name> jail has banned <ip> from accessing $(hostname) after <failures> attempts of hacking the system." | /run/wrappers/bin/sendmail -i fail2ban@localhost.com
+      actionban = ${pkgs.coreutils}/bin/echo "<ip> has been banned: <name> jail has banned <ip> from accessing $(hostname) after <failures> attempts of hacking the system." | /run/wrappers/bin/sendmail -i fail2ban@localhost.com
     '');
     # Defines a filter that detects URL probing by reading the Nginx access log
     "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''

systems/x86_64-linux/stargate/services/ntfy-sh.nix

@@ -28,27 +28,4 @@ with lib.custom; {
       attachment-cache-dir = "/var/lib/ntfy-sh/attachments";
     };
   };
-
-  services.postfix = {
-    enable = true;
-    config = {
-      myhostname = "stargate.local";
-      mydestination = "localhost, localhost.com";
-      relayhost = "";
-      transport_maps = "hash:/etc/postfix.conf";
-    };
-  };
-
-  environment.etc."postfix.conf".text = ''
-    localhost.com   smtp:[127.0.0.1]:1299
-  '';
-  systemd.services.postmap-transport = {
-    description = "Generate postfix transport.db from transport";
-    wantedBy = ["multi-user.target"];
-    before = ["postfix.service"];
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = "${pkgs.postfix}/bin/postmap /etc/postfix.conf";
-    };
-  };
 }

systems/x86_64-linux/stargate/services/postfix.nix

@@ -0,0 +1,32 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  services.postfix = {
+    enable = true;
+    config = {
+      myhostname = "stargate.local";
+      mydestination = "localhost, localhost.com";
+
+      relay_domains = "notthebees.org";
+      transport_maps = "hash:/etc/postfix.conf";
+      inet_interfaces = "all";
+    };
+  };
+
+  environment.etc."postfix.conf".text = ''
+    localhost.com   smtp:[127.0.0.1]:1299
+    notthebees.org   smtp:[127.0.0.1]:2525
+  '';
+  systemd.services.postmap-transport = {
+    description = "Generate postfix transport.db from transport";
+    wantedBy = ["multi-user.target"];
+    before = ["postfix.service"];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.postfix}/bin/postmap /etc/postfix.conf";
+    };
+  };
+}