3 changed files with 3 additions and 72 deletions
--- a/systems/vesuvio/certificates.nix
+++ b/systems/vesuvio/certificates.nix
@ -1,25 +0,0 @@
 { config, ... }:
 {
  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "acme@uku.moe";
      webroot = "/var/lib/acme/acme-challenge";
    };
  };
  services.nginx.virtualHosts = {
    "acme.uku3lig.net" = {
      serverAliases = [
        "*.uku3lig.net"
        "*.uku.moe"
      ];
      locations."/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
    };
  };
  # /var/lib/acme/acme-challenge must be writable by the ACME user and readable by the Nginx user.
  # The easiest way to achieve this is to add the Nginx user to the ACME group.
  users.users.nginx.extraGroups = [ "acme" ];
 }
--- a/systems/vesuvio/default.nix
+++ b/systems/vesuvio/default.nix
@ -1,7 +1,6 @@
 { pkgs, ... }:
 {
  imports = [
    ./certificates.nix
    ./frp.nix
    ./hetzner.nix
  ];
@ -11,16 +10,8 @@
    traceroute
  ];
-  services = {
+  services.openssh = {
-    nginx.enable = true;
+    ports = [ 4269 ];
-    openssh = {
+    openFirewall = true;
      ports = [ 4269 ];
      openFirewall = true;
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
 }
--- a/systems/vesuvio/mail.nix
+++ b/systems/vesuvio/mail.nix
@ -1,35 +0,0 @@
 { config, ... }:
 let
  certName = "mail.c.uku3lig.net";
  certLocation = config.security.acme.certs.${certName}.directory;
 in
 {
  security.acme.certs.${certName} = {
    group = config.services.maddy.group;
    extraLegoRenewFlags = [ "--reuse-key" ]; # soopyc said its more secure
  };
  services.maddy = {
    enable = true;
    hostname = "mx1.uku3lig.net";
    primaryDomain = "uku3lig.net";
    localDomains = [
      "$(primary_domain)"
      "uku.moe"
    ];
    tls = {
      loader = "file";
      certificates = [
        {
          certPath = "${certLocation}/fullchain.pem";
          keyPath = "${certLocation}/key.pem";
        }
      ];
    };
    config = ''
    '';
  };
 }