switch to simple-mail-server
This commit is contained in:
parent
82b1aa01f4
commit
6db8dc91b1
94
flake.lock
94
flake.lock
|
|
@ -1,5 +1,21 @@
|
|||
{
|
||||
"nodes": {
|
||||
"blobs": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1604995301,
|
||||
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"buildbot-nix": {
|
||||
"inputs": {
|
||||
"flake-parts": [
|
||||
|
|
@ -77,6 +93,21 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
|
|
@ -97,6 +128,24 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710146030,
|
||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixlib": {
|
||||
"locked": {
|
||||
"lastModified": 1712450863,
|
||||
|
|
@ -172,6 +221,33 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-mailserver": {
|
||||
"inputs": {
|
||||
"blobs": "blobs",
|
||||
"flake-compat": [
|
||||
"flake-compat"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"utils": [
|
||||
"flake-utils"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717515088,
|
||||
"narHash": "sha256-nWOLpPA7+k7V1OjXTuxdsVd5jeeI0b13Di57wvnqkic=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "nixos-mailserver",
|
||||
"rev": "0d51a32e4799d081f260eb4db37145f5f4ee7456",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "nixos-mailserver",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1714314149,
|
||||
|
|
@ -192,7 +268,10 @@
|
|||
"inputs": {
|
||||
"buildbot-nix": "buildbot-nix",
|
||||
"clan-core": "clan-core",
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-parts": "flake-parts",
|
||||
"flake-utils": "flake-utils",
|
||||
"nixos-mailserver": "nixos-mailserver",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"srvos": "srvos",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
|
|
@ -242,6 +321,21 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"treefmt-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
|
|
|||
|
|
@ -8,11 +8,20 @@
|
|||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
flake-compat.url = "github:edolstra/flake-compat";
|
||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
||||
treefmt-nix.url = "github:numtide/treefmt-nix";
|
||||
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
nixos-mailserver = {
|
||||
url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
inputs.utils.follows = "flake-utils";
|
||||
inputs.flake-compat.follows = "flake-compat";
|
||||
};
|
||||
|
||||
srvos.url = "github:numtide/srvos";
|
||||
# Use the version of nixpkgs that has been tested to work with SrvOS
|
||||
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
|
|
|||
|
|
@ -27,6 +27,8 @@
|
|||
inputs.srvos.nixosModules.mixins-nginx
|
||||
inputs.srvos.nixosModules.mixins-nix-experimental
|
||||
./web01
|
||||
inputs.nixos-mailserver.nixosModules.mailserver
|
||||
./mailserver.nix
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
39
modules/mailserver.nix
Normal file
39
modules/mailserver.nix
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
{ config
|
||||
, pkgs
|
||||
, inputs
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
mailPassword =
|
||||
{ service }:
|
||||
{
|
||||
secret."${service}-password" = { };
|
||||
secret."${service}-password-hash" = { };
|
||||
generator.path = with pkgs; [
|
||||
coreutils
|
||||
xkcdpass
|
||||
mkpasswd
|
||||
];
|
||||
generator.script = ''
|
||||
xkcdpass -n 4 -d - > $secrets/${service}-password
|
||||
cat $secrets/${service}-password | mkpasswd -s -m bcrypt > $secrets/${service}-password-hash
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
mailserver = rec {
|
||||
enable = true;
|
||||
fqdn = "mail.clan.lol";
|
||||
domains = [ "clan.lol" ];
|
||||
|
||||
loginAccounts."golem@clan.lol".hashedPasswordFile =
|
||||
config.clanCore.facts.services.golem-mail.secret.golem-password-hash.path;
|
||||
loginAccounts."gitea@clan.lol".hashedPasswordFile =
|
||||
config.clanCore.facts.services.gitea-mail.secret.gitea-password-hash.path;
|
||||
};
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
|
||||
clanCore.facts.services.golem-mail = mailPassword { service = "golem"; };
|
||||
clanCore.facts.services.gitea-mail = mailPassword { service = "gitea"; };
|
||||
}
|
||||
|
|
@ -26,13 +26,16 @@ in
|
|||
package = self.packages.${pkgs.hostPlatform.system}.gitea;
|
||||
|
||||
settings.actions.ENABLED = true;
|
||||
|
||||
mailerPasswordFile = config.clanCore.facts.services.gitea-mail.secret.gitea-password.path;
|
||||
|
||||
settings.mailer = {
|
||||
ENABLED = true;
|
||||
FROM = "gitea@clan.lol";
|
||||
SMTP_ADDR = "localhost";
|
||||
SMTP_PORT = 25;
|
||||
PROTOCOL = "smtps";
|
||||
USER = "gitea@clan.lol";
|
||||
HOST = "mail.thalheim.io:587";
|
||||
};
|
||||
|
||||
settings.log.LEVEL = "Error";
|
||||
settings.service.DISABLE_REGISTRATION = false;
|
||||
settings.metrics.ENABLED = true;
|
||||
|
|
@ -47,6 +50,8 @@ in
|
|||
settings.session.COOKIE_SECURE = true;
|
||||
};
|
||||
|
||||
sops.secrets.web01-gitea-password.owner = config.systemd.services.gitea.serviceConfig.User;
|
||||
|
||||
services.nginx.virtualHosts."git.clan.lol" = publog {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
|
|
|||
|
|
@ -1,40 +1,41 @@
|
|||
{ config, ... }:
|
||||
{ }
|
||||
|
||||
let
|
||||
domain = "clan.lol";
|
||||
in
|
||||
{
|
||||
services.opendkim.enable = true;
|
||||
services.opendkim.domains = domain;
|
||||
services.opendkim.selector = "v1";
|
||||
services.opendkim.user = config.services.postfix.user;
|
||||
services.opendkim.group = config.services.postfix.group;
|
||||
|
||||
# postfix configuration for sending emails only
|
||||
services.postfix = {
|
||||
enable = true;
|
||||
hostname = "mail.${domain}";
|
||||
inherit domain;
|
||||
|
||||
config = {
|
||||
smtp_tls_note_starttls_offer = "yes";
|
||||
|
||||
smtp_dns_support_level = "dnssec";
|
||||
smtp_tls_security_level = "dane";
|
||||
|
||||
tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
|
||||
|
||||
smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination";
|
||||
mydestination = "localhost.$mydomain, localhost, $myhostname";
|
||||
myorigin = "$mydomain";
|
||||
|
||||
milter_default_action = "accept";
|
||||
milter_protocol = "6";
|
||||
smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
||||
non_smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
||||
|
||||
inet_interfaces = "loopback-only";
|
||||
inet_protocols = "all";
|
||||
};
|
||||
};
|
||||
}
|
||||
#{ config, ... }:
|
||||
#let
|
||||
# domain = "clan.lol";
|
||||
#in
|
||||
#{
|
||||
# services.opendkim.enable = true;
|
||||
# services.opendkim.domains = domain;
|
||||
# services.opendkim.selector = "v1";
|
||||
# services.opendkim.user = config.services.postfix.user;
|
||||
# services.opendkim.group = config.services.postfix.group;
|
||||
#
|
||||
# # postfix configuration for sending emails only
|
||||
# services.postfix = {
|
||||
# enable = true;
|
||||
# hostname = "mail.${domain}";
|
||||
# inherit domain;
|
||||
#
|
||||
# config = {
|
||||
# smtp_tls_note_starttls_offer = "yes";
|
||||
#
|
||||
# smtp_dns_support_level = "dnssec";
|
||||
# smtp_tls_security_level = "dane";
|
||||
#
|
||||
# tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
|
||||
#
|
||||
# smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination";
|
||||
# mydestination = "localhost.$mydomain, localhost, $myhostname";
|
||||
# myorigin = "$mydomain";
|
||||
#
|
||||
# milter_default_action = "accept";
|
||||
# milter_protocol = "6";
|
||||
# smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
||||
# non_smtpd_milters = "unix:/run/opendkim/opendkim.sock";
|
||||
#
|
||||
# inet_interfaces = "loopback-only";
|
||||
# inet_protocols = "all";
|
||||
# };
|
||||
# };
|
||||
#}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user