forked from clan/clan-infra
switch to simple-mail-server
This commit is contained in:
parent
7e39d50ebe
commit
1b7c3b44f8
94
flake.lock
94
flake.lock
@ -1,5 +1,21 @@
|
|||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"blobs": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1604995301,
|
||||||
|
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
|
||||||
|
"owner": "simple-nixos-mailserver",
|
||||||
|
"repo": "blobs",
|
||||||
|
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
|
||||||
|
"type": "gitlab"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "simple-nixos-mailserver",
|
||||||
|
"repo": "blobs",
|
||||||
|
"type": "gitlab"
|
||||||
|
}
|
||||||
|
},
|
||||||
"buildbot-nix": {
|
"buildbot-nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-parts": [
|
"flake-parts": [
|
||||||
@ -75,6 +91,21 @@
|
|||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"flake-compat": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1696426674,
|
||||||
|
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"flake-parts": {
|
"flake-parts": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs-lib": [
|
"nixpkgs-lib": [
|
||||||
@ -95,6 +126,24 @@
|
|||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"flake-utils": {
|
||||||
|
"inputs": {
|
||||||
|
"systems": "systems"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1710146030,
|
||||||
|
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixlib": {
|
"nixlib": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1712450863,
|
"lastModified": 1712450863,
|
||||||
@ -170,6 +219,33 @@
|
|||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixos-mailserver": {
|
||||||
|
"inputs": {
|
||||||
|
"blobs": "blobs",
|
||||||
|
"flake-compat": [
|
||||||
|
"flake-compat"
|
||||||
|
],
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"utils": [
|
||||||
|
"flake-utils"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1717515088,
|
||||||
|
"narHash": "sha256-nWOLpPA7+k7V1OjXTuxdsVd5jeeI0b13Di57wvnqkic=",
|
||||||
|
"owner": "simple-nixos-mailserver",
|
||||||
|
"repo": "nixos-mailserver",
|
||||||
|
"rev": "0d51a32e4799d081f260eb4db37145f5f4ee7456",
|
||||||
|
"type": "gitlab"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "simple-nixos-mailserver",
|
||||||
|
"repo": "nixos-mailserver",
|
||||||
|
"type": "gitlab"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1717868076,
|
"lastModified": 1717868076,
|
||||||
@ -190,7 +266,10 @@
|
|||||||
"inputs": {
|
"inputs": {
|
||||||
"buildbot-nix": "buildbot-nix",
|
"buildbot-nix": "buildbot-nix",
|
||||||
"clan-core": "clan-core",
|
"clan-core": "clan-core",
|
||||||
|
"flake-compat": "flake-compat",
|
||||||
"flake-parts": "flake-parts",
|
"flake-parts": "flake-parts",
|
||||||
|
"flake-utils": "flake-utils",
|
||||||
|
"nixos-mailserver": "nixos-mailserver",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"srvos": "srvos",
|
"srvos": "srvos",
|
||||||
"treefmt-nix": "treefmt-nix"
|
"treefmt-nix": "treefmt-nix"
|
||||||
@ -240,6 +319,21 @@
|
|||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"systems": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"treefmt-nix": {
|
"treefmt-nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
10
flake.nix
10
flake.nix
@ -8,12 +8,20 @@
|
|||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||||
|
flake-utils.url = "github:numtide/flake-utils";
|
||||||
|
flake-compat.url = "github:edolstra/flake-compat";
|
||||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||||
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
||||||
treefmt-nix.url = "github:numtide/treefmt-nix";
|
treefmt-nix.url = "github:numtide/treefmt-nix";
|
||||||
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
|
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
|
nixos-mailserver = {
|
||||||
|
url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
inputs.utils.follows = "flake-utils";
|
||||||
|
inputs.flake-compat.follows = "flake-compat";
|
||||||
|
};
|
||||||
|
|
||||||
srvos.url = "github:numtide/srvos";
|
srvos.url = "github:numtide/srvos";
|
||||||
# Use the version of nixpkgs that has been tested to work with SrvOS
|
# Use the version of nixpkgs that has been tested to work with SrvOS
|
||||||
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
@ -27,6 +27,8 @@
|
|||||||
inputs.srvos.nixosModules.mixins-nginx
|
inputs.srvos.nixosModules.mixins-nginx
|
||||||
inputs.srvos.nixosModules.mixins-nix-experimental
|
inputs.srvos.nixosModules.mixins-nix-experimental
|
||||||
./web01
|
./web01
|
||||||
|
inputs.nixos-mailserver.nixosModules.mailserver
|
||||||
|
./mailserver.nix
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
39
modules/mailserver.nix
Normal file
39
modules/mailserver.nix
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
{ config
|
||||||
|
, pkgs
|
||||||
|
, inputs
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
mailPassword =
|
||||||
|
{ service }:
|
||||||
|
{
|
||||||
|
secret."${service}-password" = { };
|
||||||
|
secret."${service}-password-hash" = { };
|
||||||
|
generator.path = with pkgs; [
|
||||||
|
coreutils
|
||||||
|
xkcdpass
|
||||||
|
mkpasswd
|
||||||
|
];
|
||||||
|
generator.script = ''
|
||||||
|
xkcdpass -n 4 -d - > $secrets/${service}-password
|
||||||
|
cat $secrets/${service}-password | mkpasswd -s -m bcrypt > $secrets/${service}-password-hash
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
mailserver = rec {
|
||||||
|
enable = true;
|
||||||
|
fqdn = "mail.clan.lol";
|
||||||
|
domains = [ "clan.lol" ];
|
||||||
|
|
||||||
|
loginAccounts."golem@clan.lol".hashedPasswordFile =
|
||||||
|
config.clanCore.facts.services.golem-mail.secret.golem-password-hash.path;
|
||||||
|
loginAccounts."gitea@clan.lol".hashedPasswordFile =
|
||||||
|
config.clanCore.facts.services.gitea-mail.secret.gitea-password-hash.path;
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme.acceptTerms = true;
|
||||||
|
|
||||||
|
clanCore.facts.services.golem-mail = mailPassword { service = "golem"; };
|
||||||
|
clanCore.facts.services.gitea-mail = mailPassword { service = "gitea"; };
|
||||||
|
}
|
@ -27,13 +27,16 @@ in
|
|||||||
package = self.packages.${pkgs.hostPlatform.system}.gitea;
|
package = self.packages.${pkgs.hostPlatform.system}.gitea;
|
||||||
|
|
||||||
settings.actions.ENABLED = true;
|
settings.actions.ENABLED = true;
|
||||||
|
|
||||||
|
mailerPasswordFile = config.clanCore.facts.services.gitea-mail.secret.gitea-password.path;
|
||||||
|
|
||||||
settings.mailer = {
|
settings.mailer = {
|
||||||
ENABLED = true;
|
ENABLED = true;
|
||||||
FROM = "gitea@clan.lol";
|
FROM = "gitea@clan.lol";
|
||||||
SMTP_ADDR = "localhost";
|
USER = "gitea@clan.lol";
|
||||||
SMTP_PORT = 25;
|
HOST = "mail.thalheim.io:587";
|
||||||
PROTOCOL = "smtps";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
settings.log.LEVEL = "Error";
|
settings.log.LEVEL = "Error";
|
||||||
settings.service.DISABLE_REGISTRATION = false;
|
settings.service.DISABLE_REGISTRATION = false;
|
||||||
settings.metrics.ENABLED = true;
|
settings.metrics.ENABLED = true;
|
||||||
@ -49,6 +52,8 @@ in
|
|||||||
settings.session.COOKIE_SECURE = true;
|
settings.session.COOKIE_SECURE = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops.secrets.web01-gitea-password.owner = config.systemd.services.gitea.serviceConfig.User;
|
||||||
|
|
||||||
services.nginx.virtualHosts."git.clan.lol" = publog {
|
services.nginx.virtualHosts."git.clan.lol" = publog {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
@ -1,40 +1,41 @@
|
|||||||
{ config, ... }:
|
{ }
|
||||||
|
|
||||||
let
|
#{ config, ... }:
|
||||||
domain = "clan.lol";
|
#let
|
||||||
in
|
# domain = "clan.lol";
|
||||||
{
|
#in
|
||||||
services.opendkim.enable = true;
|
#{
|
||||||
services.opendkim.domains = domain;
|
# services.opendkim.enable = true;
|
||||||
services.opendkim.selector = "v1";
|
# services.opendkim.domains = domain;
|
||||||
services.opendkim.user = config.services.postfix.user;
|
# services.opendkim.selector = "v1";
|
||||||
services.opendkim.group = config.services.postfix.group;
|
# services.opendkim.user = config.services.postfix.user;
|
||||||
|
# services.opendkim.group = config.services.postfix.group;
|
||||||
# postfix configuration for sending emails only
|
#
|
||||||
services.postfix = {
|
# # postfix configuration for sending emails only
|
||||||
enable = true;
|
# services.postfix = {
|
||||||
hostname = "mail.${domain}";
|
# enable = true;
|
||||||
inherit domain;
|
# hostname = "mail.${domain}";
|
||||||
|
# inherit domain;
|
||||||
config = {
|
#
|
||||||
smtp_tls_note_starttls_offer = "yes";
|
# config = {
|
||||||
|
# smtp_tls_note_starttls_offer = "yes";
|
||||||
smtp_dns_support_level = "dnssec";
|
#
|
||||||
smtp_tls_security_level = "dane";
|
# smtp_dns_support_level = "dnssec";
|
||||||
|
# smtp_tls_security_level = "dane";
|
||||||
tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
|
#
|
||||||
|
# tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
|
||||||
smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination";
|
#
|
||||||
mydestination = "localhost.$mydomain, localhost, $myhostname";
|
# smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination";
|
||||||
myorigin = "$mydomain";
|
# mydestination = "localhost.$mydomain, localhost, $myhostname";
|
||||||
|
# myorigin = "$mydomain";
|
||||||
milter_default_action = "accept";
|
#
|
||||||
milter_protocol = "6";
|
# milter_default_action = "accept";
|
||||||
smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
# milter_protocol = "6";
|
||||||
non_smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
# smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
||||||
|
# non_smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
||||||
inet_interfaces = "loopback-only";
|
#
|
||||||
inet_protocols = "all";
|
# inet_interfaces = "loopback-only";
|
||||||
};
|
# inet_protocols = "all";
|
||||||
};
|
# };
|
||||||
}
|
# };
|
||||||
|
#}
|
||||||
|
Loading…
Reference in New Issue
Block a user