kylekrein/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Aliasvault

Browse source
This commit is contained in:
Aleksandr Lebedev 2025-10-03 14:36:50 +02:00
parent 7a1053586d
commit 3cfbb8ec2e
5 changed files with 107 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

6
systems/x86_64-linux/stargate/duckdns.nix
View file

@ -25,6 +25,12 @@
| ${pkgs.coreutils}/bin/head -n1) | ${pkgs.coreutils}/bin/head -n1)
REALV4=$(${pkgs.curl}/bin/curl -s https://ifconfig.me --ipv4) REALV4=$(${pkgs.curl}/bin/curl -s https://ifconfig.me --ipv4)
${pkgs.coreutils}/bin/echo url="https://www.duckdns.org/update?domains=kylekrein&token=$TOKEN&ipv6=$REALV6&ip=$REALV4" | ${pkgs.curl}/bin/curl -k -K - ${pkgs.coreutils}/bin/echo url="https://www.duckdns.org/update?domains=kylekrein&token=$TOKEN&ipv6=$REALV6&ip=$REALV4" | ${pkgs.curl}/bin/curl -k -K -
${pkgs.coreutils}/bin/mkdir -p /etc/fail2ban/jail.d
${pkgs.coreutils}/bin/cat > /etc/fail2ban/jail.d/duckdns-ignore.local <<EOF
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 192.168.178.1/24 $REALV4 $REALV6
EOF
''; '';
in '' in ''
set -eu set -eu

60
systems/x86_64-linux/stargate/services/aliasvault.nix Normal file
View file

@ -0,0 +1,60 @@
{
pkgs,
lib,
config,
...
}: {
systemd.tmpfiles.rules = [
# format: type path mode uid gid age argument
"d /var/lib/aliasvault 0750 100 102 - -"
"d /var/lib/aliasvault/database 0700 100 102 - -"
"d /var/lib/aliasvault/logs 0750 100 102 - -"
"d /var/lib/aliasvault/secrets 0750 100 102 - -"
];
# Подман
virtualisation.podman.enable = true;
virtualisation.oci-containers.backend = "podman";
virtualisation.oci-containers.containers.aliasvault = {
image = "ghcr.io/aliasvault/aliasvault:latest";
autoStart = true;
ports = [
"127.0.0.1:8086:80"
"127.0.0.1:8444:443"
"127.0.0.1:2525:25"
"127.0.0.1:5877:587"
];
volumes = [
"/var/lib/aliasvault/database:/database:rw"
"/var/lib/aliasvault/logs:/logs:rw"
"/var/lib/aliasvault/secrets:/secrets:rw"
];
environment = {
HOSTNAME = "pass.kylekrein.com";
PUBLIC_REGISTRATION_ENABLED = "false";
IP_LOGGING_ENABLED = "true";
FORCE_HTTPS_REDIRECT = "false"; # SSL делаем на nginx
SUPPORT_EMAIL = "";
PRIVATE_EMAIL_DOMAINS = "notthebees.org";
};
};
# Nginx
services.nginx.virtualHosts."pass.kylekrein.com" = {
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://localhost:8086/";
proxyWebsockets = true;
};
};
};
# Firewall
networking.firewall.allowedTCPPorts = [80 443 587 25];
}

2
systems/x86_64-linux/stargate/services/fail2ban.nix
View file

@ -8,7 +8,7 @@
"fail2ban/action.d/ntfy.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' "fail2ban/action.d/ntfy.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition] [Definition]
norestored = true # Needed to avoid receiving a new notification after every restart norestored = true # Needed to avoid receiving a new notification after every restart
actionban = echo "<ip> has been banned: <name> jail has banned <ip> from accessing $(hostname) after <failures> attempts of hacking the system." | /run/wrappers/bin/sendmail -i fail2ban@localhost.com actionban = ${pkgs.coreutils}/bin/echo "<ip> has been banned: <name> jail has banned <ip> from accessing $(hostname) after <failures> attempts of hacking the system." | /run/wrappers/bin/sendmail -i fail2ban@localhost.com
''); '');
# Defines a filter that detects URL probing by reading the Nginx access log # Defines a filter that detects URL probing by reading the Nginx access log
"fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''

23
systems/x86_64-linux/stargate/services/ntfy-sh.nix
View file

@ -28,27 +28,4 @@ with lib.custom; {
attachment-cache-dir = "/var/lib/ntfy-sh/attachments"; attachment-cache-dir = "/var/lib/ntfy-sh/attachments";
}; };
}; };
services.postfix = {
enable = true;
config = {
myhostname = "stargate.local";
mydestination = "localhost, localhost.com";
relayhost = "";
transport_maps = "hash:/etc/postfix.conf";
};
};
environment.etc."postfix.conf".text = ''
localhost.com smtp:[127.0.0.1]:1299
'';
systemd.services.postmap-transport = {
description = "Generate postfix transport.db from transport";
wantedBy = ["multi-user.target"];
before = ["postfix.service"];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.postfix}/bin/postmap /etc/postfix.conf";
};
};
} }

32
systems/x86_64-linux/stargate/services/postfix.nix Normal file
View file

@ -0,0 +1,32 @@
{
pkgs,
lib,
config,
...
}: {
services.postfix = {
enable = true;
config = {
myhostname = "stargate.local";
mydestination = "localhost, localhost.com";
relay_domains = "notthebees.org";
transport_maps = "hash:/etc/postfix.conf";
inet_interfaces = "all";
};
};
environment.etc."postfix.conf".text = ''
localhost.com smtp:[127.0.0.1]:1299
notthebees.org smtp:[127.0.0.1]:2525
'';
systemd.services.postmap-transport = {
description = "Generate postfix transport.db from transport";
wantedBy = ["multi-user.target"];
before = ["postfix.service"];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.postfix}/bin/postmap /etc/postfix.conf";
};
};
}