sourcephile / git / sourcephile-nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
losurdo: add creds
[sourcephile-nix.git] / hosts / mermet / public-inbox.nix
diff --git a/hosts/mermet/public-inbox.nix b/hosts/mermet/public-inbox.nix
index 54db9cace470b9a8f7f2bee457b7226dd4d2ef9f..2f663c5fed135ef8c477b7ed13460b2deb4e3942 100644 (file)
--- a/hosts/mermet/public-inbox.nix
+++ b/hosts/mermet/public-inbox.nix
@@ -27,8 +27,14 @@ security.acme.certs."${domain}" = {
   postRun = "systemctl try-restart public-inbox-nntpd public-inbox-imapd";
 };
 networking.nftables.ruleset = ''
-  add rule inet filter net2fw tcp dport ${toString public-inbox.nntp.port} counter accept comment "NNTPS"
-  add rule inet filter net2fw tcp dport 1993 counter accept comment "IMAPS"
+  table inet filter {
+    chain input-net {
+      tcp dport ${toString public-inbox.nntp.port} counter accept comment "public-inbox: NNTPS"
+      tcp dport 1993 counter accept comment "public-inbox: IMAPS"
+    }
+    chain output-net {
+    }
+  }
 '';
 fileSystems."/var/lib/public-inbox" = {
   device = "rpool/var/public-inbox";
@@ -36,12 +42,14 @@ fileSystems."/var/lib/public-inbox" = {
 };
 systemd.services = {
   public-inbox-httpd = {
+    confinement.enable = true;
     serviceConfig = {
       SupplementaryGroups = [ groups."git-daemon".name ];
-      BindReadOnlyPaths = [ "/var/lib/acme/${domain}" ];
+      #BindReadOnlyPaths = [ "/var/lib/acme/${domain}" ];
     };
   };
   public-inbox-imapd = {
+    confinement.enable = true;
     wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
     after = [ "acme-selfsigned-${domain}.service" ];
     serviceConfig = {
@@ -49,7 +57,11 @@ systemd.services = {
       BindReadOnlyPaths = [ "/var/lib/acme/${domain}" ];
     };
   };
+  public-inbox-init = {
+    confinement.enable = true;
+  };
   public-inbox-nntpd = {
+    confinement.enable = true;
     wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
     after = [ "acme-selfsigned-${domain}.service" ];
     serviceConfig = {
@@ -60,10 +72,12 @@ systemd.services = {
 };
 services.public-inbox = {
   enable = true;
+  postfix.enable = true;
   settings.publicinbox = {
     css = [ "href=https://mails.${domain}/style/light.css" ];
     nntpserver = [ "nntps://news.${domain}" ];
     wwwlisting = "match=domain";
+    #imapserver = [ "mails.${domain}" ];
   };
   mda = {
     enable = true;
@@ -99,7 +113,6 @@ services.public-inbox = {
     news = {
       address = [
         "news@${domain}"
-        "public-inbox+news@${domain}"
       ];
       description = ''
         news@${domain} :
@@ -112,7 +125,6 @@ services.public-inbox = {
     chat = {
       address = [
         "chat@${domain}"
-        "public-inbox+chat@${domain}"
       ];
       description = ''
         chat@${domain} :
@@ -124,7 +136,6 @@ services.public-inbox = {
     contact = {
       address = [
         "contact@${domain}"
-        "public-inbox+contact@${domain}"
       ];
       description = ''
         contact@${domain} :
@@ -137,7 +148,6 @@ services.public-inbox = {
     environnement = {
       address = [
         "environnement@${domain}"
-        "public-inbox+environnement@${domain}"
       ];
       description = ''
         environnement@${domain} :
@@ -150,7 +160,6 @@ services.public-inbox = {
     labo = {
       address = [
         "labo@${domain}"
-        "public-inbox+labo@${domain}"
       ];
       description = ''
         labo@${domain} :
@@ -164,7 +173,6 @@ services.public-inbox = {
     prod = {
       address = [
         "prod@${domain}"
-        "public-inbox+prod@${domain}"
       ];
       description = ''
         prod@${domain} :
@@ -177,7 +185,6 @@ services.public-inbox = {
     orga = {
       address = [
         "orga@${domain}"
-        "public-inbox+orga@${domain}"
       ];
       description = ''
         orga@${domain} :
@@ -190,7 +197,6 @@ services.public-inbox = {
     test = {
       address = [
         "test@${domain}"
-        "public-inbox+test@${domain}"
       ];
       description = ''
         test@${domain} :
@@ -203,7 +209,6 @@ services.public-inbox = {
   } // lib.genAttrs (map baseNameOf repositories) (name: {
     address = [
       "${name}@${domain}"
-      "public-inbox+${name}@${domain}"
     ];
     description = ''
       ${name}@${domain} :
@@ -227,9 +232,6 @@ services.public-inbox = {
     cgitUrl = "https://code.${domain}/${path}.git";
   }) repositories);
 };
-services.postfix.virtual = lib.concatMapStringsSep "\n" (name: ''
-  ${name}@${domain} public-inbox@localhost
-'') (map baseNameOf repositories);
 services.sanoid.datasets."rpool/var/public-inbox" = {
   use_template = [ "snap" ];
   daily = 7;
NixOS configurations for Sourcephile's infrastructure