7 files changed, 220 insertions, 17 deletions

diff --git a/modules/hosts/ltrr-block/configuration.nix b/modules/hosts/ltrr-block/configuration.nix
index 5ee4711..556c852 100644
--- a/modules/hosts/ltrr-block/configuration.nix
+++ b/modules/hosts/ltrr-block/configuration.nix
@@ -13,6 +13,7 @@
     modulesPath,
     pkgs,
     config,
+    lib,
     ...
   }: let
     domain = "kcu.su";
@@ -63,6 +64,15 @@
       };
     };
 
+    users.users.git = {
+      group = "git";
+      extraGroups = ["files"];
+      home = lib.mkForce "/var/lib/git";
+      createHome = true;
+      isSystemUser = true;
+    };
+    users.groups.git = {};
+
     users.users.mc = {
       isNormalUser = true;
       packages = with pkgs; [
@@ -99,8 +109,18 @@
 
     networking.hostName = "ltrr-block";
     networking.firewall = {
-      allowedTCPPorts = [80 5030 2049 25565];
-      allowedUDPPorts = [51820 16261 16262];
+      allowedTCPPorts = [
+        80
+        # mail
+        25
+        465
+        993
+
+        25565 # minecraft
+      ];
+      allowedUDPPorts = [
+        51820
+      ];
     };
 
     security.acme = {
@@ -137,13 +157,24 @@
         "tube".proxyPass = "http://127.0.0.1:5410";
         "torrents".proxyPass = "http://127.0.0.1:7317";
         "jellyfin".proxyPass = "http://127.0.0.1:8096";
+        "books" = {
+          proxyPass = "http://127.0.0.1:6458";
+          proxyWebsockets = true;
+        };
         "lidarr" = {
           proxyPass = "http://127.0.0.1:8686";
           proxyWebsockets = true;
         };
-
-        "prowlarr".proxyPass = "http://127.0.0.1:9696";
         "shelfmark".proxyPass = "http://127.0.0.1:8084";
+        "mail".proxyPass = "http://127.0.0.1:7845";
+      };
+      extraVirtualHosts = {
+        "navidrome.${domain}" = {
+          enableAuthelia = false;
+        };
+        "git.${domain}" = {
+          enableAuthelia = false;
+        };
       };
     };
 
@@ -235,10 +266,6 @@
       group = "music";
     };
 
-    services.prowlarr = {
-      enable = true;
-    };
-
     services.qbittorrent = {
       enable = true;
       user = "files";
@@ -410,7 +437,7 @@
     #     "127.0.0.1:8083:8083"
     #   ];
     #   volumes = [
-    #     "/srv/files/books:/calibre-library"
+    #     "/srv/files/books/library:/calibre-library"
     #     "/srv/files/books/injest:/cwa-book-ingest"
     #     "/var/lib/cwa:/config"
     #   ];
@@ -441,16 +468,36 @@
         "host"
       ];
     };
-    services.booklore = {
+
+    services.audiobookshelf = {
       enable = true;
-      subdomain = "books";
-      uid = "1000";
-      gid = "1001";
-      settings = {
-        timezone = "Europe/Yekaterinburg";
-        booksDir = "/srv/files/books/library";
-        bookdropDir = "/srv/files/books/injest";
+      port = 6458;
+      user = "files";
+      group = "books";
+    };
+
+    createPaths."/var/lib/stump" = {
+      owner = "files";
+      group = "books";
+      permissions = "0750";
+    };
+
+    virtualisation.oci-containers.containers.stump = {
+      image = "aaronleopold/stump:nightly";
+      volumes = [
+        "/var/lib/stump:/config"
+        "/srv/files/books/library:/data"
+      ];
+      ports = [
+        "127.0.0.1:10821:10801"
+      ];
+      environment = {
+        PUID = "1000";
+        PGID = "1001";
       };
+      networks = [
+        "host"
+      ];
     };
 
     services.watcharr = {
@@ -458,6 +505,144 @@
       subdomain = "watched";
     };
 
+    age.secrets.stalwart-admin = {
+      rekeyFile = ./secrets/stalwart-admin.key.age;
+    };
+    age.secrets.stalwart-cert = {
+      rekeyFile = ./secrets/stalwart-cert.age;
+    };
+    age.secrets.stalwart-pk = {
+      rekeyFile = ./secrets/stalwart-pk.age;
+    };
+
+    services.stalwart-mail = {
+      enable = true;
+      settings = {
+        server = {
+          hostname = "mail.kcu.su";
+          listener = {
+            smtp = {
+              bind = ["[::]:25"];
+              protocol = "smtp";
+            };
+            submissions = {
+              bind = ["[::]:465"];
+              protocol = "smtp";
+              tls.implicit = true;
+            };
+            imaptls = {
+              bind = ["[::]:993"];
+              protocol = "imap";
+              tls.implicit = true;
+            };
+            management = {
+              bind = ["127.0.0.1:7845"];
+              protocol = "http";
+            };
+          };
+        };
+        storage = {
+          data = "rocksdb";
+          fts = "rocksdb";
+          blob = "rocksdb";
+          lookup = "rocksdb";
+          directory = "internal";
+        };
+        store.rocksdb = {
+          type = "rocksdb";
+          path = "${config.services.stalwart-mail.dataDir}/data";
+          compression = "lz4";
+        };
+        directory.internal = {
+          type = "internal";
+          store = "rocksdb";
+        };
+        tracer.stdout = {
+          type = "stdout";
+          level = "info";
+          ansi = false;
+          enable = true;
+        };
+        authentication.fallback-admin = {
+          user = "admin_fallback";
+          secret = "%{file:/run/credentials/stalwart-mail.service/admin_secret}%";
+        };
+        config = {
+          local-keys = [
+            "store.*"
+            "directory.*"
+            "tracer.*"
+            "!server.blocked-ip.*"
+            "!server.allowed-ip.*"
+            "server.*"
+            "authentication.fallback-admin.*"
+            "cluster.*"
+            "config.local-keys.*"
+            "storage.data"
+            "storage.blob"
+            "storage.lookup"
+            "storage.fts"
+            "storage.directory"
+            "certificate.*"
+          ];
+        };
+        certificate.default = {
+          cert = "%{file:/run/credentials/stalwart-mail.service/cert}%";
+          private-key = "%{file:/run/credentials/stalwart-mail.service/pk}%";
+          default = true;
+        };
+      };
+      credentials = {
+        cert = config.age.secrets.stalwart-cert.path;
+        pk = config.age.secrets.stalwart-pk.path;
+        admin_secret = config.age.secrets.stalwart-admin.path;
+      };
+    };
+
+    createPaths."/srv/files/git" = {
+      owner = "git";
+      group = "git";
+      permissions = "0770";
+    };
+    services.cgit.kcu = {
+      enable = true;
+      user = "git";
+      group = "git";
+      scanPath = "/srv/files/git";
+      gitHttpBackend = {
+        enable = true;
+        checkExportOkFiles = false;
+      };
+      nginx.virtualHost = "git.${domain}";
+
+      settings = {
+        root-title = "kcu.su git";
+        root-desc = "this is where i keep my (dead) projects";
+
+        enable-git-config = 1;
+
+        about-filter = "${pkgs.cgit}/lib/filters/about-formatting.sh";
+        source-filter = "${pkgs.cgit}/lib/filters/syntax-highlighting.py";
+        readme = [
+          "master:README.md"
+          "master:README.org"
+        ];
+        project-list = "/var/lib/git/projects.list";
+      };
+    };
+
+    services.gitolite = {
+      enable = true;
+      user = "git";
+      description = "";
+      group = "git";
+      adminPubkey = "";
+      extraGitoliteRc = ''
+        $RC{GIT_CONFIG_KEYS} = ".*";
+        $RC{GL_REPO_BASE} = "/srv/files/git";
+      '';
+    };
+
     services.immich = {
       enable = true;
     };
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age b/modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age
new file mode 100644
index 0000000..90ca528
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptoveQ vDi/rd7OWJyvz4nnM2kwX+8f9Vvru1lgvEXXHoD5TgQ
+qMckZ4SxsRksF8Yg8MtSlZtvn/sm73xskjI9DSmIQtE
+-> 8-grease k# SA{/ =I;)gK
+844hA/7PS0QSd1dP16JX7JTJW8NWhSouyEF7VBpa8+uIZSrfUOwJDs+Af7dtIEd2
+
+--- TLscAo6DhT5qKf7AAH7GqpigW8L/bMsoSBpoDWmVRtI
+�7�+��"R���y��&�����(�_(H�k�VL�Nm8�WC�g�[�p������Zk�ΗK`����o�"���e�V#KܰD��y�yRċT��iB��
|��u�W
+	d%��v��P�H&��ۻ�:�z
\ No newline at end of file
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age b/modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age
new file mode 100644
index 0000000..8a778bf
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age b/modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age
new file mode 100644
index 0000000..4279838
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age
diff --git a/modules/hosts/ltrr-block/secrets/stalwart-admin.key.age b/modules/hosts/ltrr-block/secrets/stalwart-admin.key.age
new file mode 100644
index 0000000..8ae6dd3
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/stalwart-admin.key.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 5YBERzwh+Vis6esJiMwoUQbRSeB3XqufSnpOLvx8qRw
+0tgBOtYD7n5C8yMluNij1rimPAxc4k8/WLWcxdvR7A8
+-> ?&'/-grease bm}^I5I uJ~R_S '/<ECm
+l6zIQMmDjFRA8hqVXsfu+6Qmn9LHQu8X3axNNMSIoId2FCG38gd/xbSq80z3BWhg
+2t1sXRD7+msi8Vxghdh56e++atH5oli36/vQOoyhfcM
+--- fq2O9hy5sEtEpHrayYJ5c6Z6UmN+fW/iukMQJeAjVt4
++W�q���J��2�3��D�Ș��(���By�0�
+1��RN�n
�W63���4A&���Z��A�-|E��3��h�r��y�֏L��0HY�N�e��^I�m�B�nԮ0�L�n^h�Y�̴agVӰu������
\ No newline at end of file
diff --git a/modules/hosts/ltrr-block/secrets/stalwart-cert.age b/modules/hosts/ltrr-block/secrets/stalwart-cert.age
new file mode 100644
index 0000000..88ae1b9
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/stalwart-cert.age
diff --git a/modules/hosts/ltrr-block/secrets/stalwart-pk.age b/modules/hosts/ltrr-block/secrets/stalwart-pk.age
new file mode 100644
index 0000000..b0f092a
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/stalwart-pk.age