4 files changed, 52 insertions, 1 deletions

diff --git a/profiles/core/configuration.nix b/profiles/core/configuration.nix
index 2849800..1fcb139 100644
--- a/profiles/core/configuration.nix
+++ b/profiles/core/configuration.nix
@@ -16,7 +16,7 @@
         openssh.authorizedKeys.keys = ivi.sshKeys;
       };
       root = {
-        passwordFile = secrets.password.path;
+        hashedPasswordFile = config.secrets.root.path;
         openssh.authorizedKeys.keys = config.ivi.openssh.authorizedKeys.keys;
       };
   };
diff --git a/profiles/server/acme.nix b/profiles/server/acme.nix
new file mode 100644
index 0000000..c0d7306
--- /dev/null
+++ b/profiles/server/acme.nix
@@ -0,0 +1,11 @@
+{ config, ... }: {
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"];
+      email = ivi.email;
+      dnsProvider = "porkbun";
+      credentialsFile = config.secrets.porkbun.path;
+    };
+  };
+}
diff --git a/profiles/server/mail.nix b/profiles/server/mail.nix
new file mode 100644
index 0000000..c6837ef
--- /dev/null
+++ b/profiles/server/mail.nix
@@ -0,0 +1,24 @@
+{ inputs, config, lib, ... }: with lib; {
+  imports = [
+    inputs.simple-nixos-mailserver.nixosModule
+  ];
+  mailserver = {
+    enable = true;
+    enableImap = false;
+    enableSubmission = true;
+    enableImapSsl = true;
+    enableSubmissionSsl = true;
+
+    fqdn = ivi.domain;
+    domains = [ ivi.domain ];
+    loginAccounts = {
+        ${ivi.email} = {
+            hashedPasswordFile = config.secrets.ivi.path;
+            aliases = [ "@${ivi.domain}" ];
+        };
+    };
+    certificateScheme = "acme";
+
+    lmtpSaveToDetailMailbox = "no";
+  };
+}
diff --git a/profiles/server/nginx.nix b/profiles/server/nginx.nix
new file mode 100644
index 0000000..526a8e7
--- /dev/null
+++ b/profiles/server/nginx.nix
@@ -0,0 +1,16 @@
+{ inputs, lib, ... }: with lib; {
+  # apparently you can set defaults on existing modules?
+  options.services.nginx.virtualHosts = mkOption {
+    type = types.attrsOf (types.submodule ({ name, ... }: {
+      config = mkIf (name != "default") {
+        forceSSL = mkDefault true;
+        enableACME = mkDefault true;
+      };
+    }));
+  };
+  config = {
+      services.nginx = {
+          enable = true;
+      };
+  };
+}