diff --git a/flake.lock b/flake.lock index e97ceb6..4c6ffc1 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,21 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "buildbot-nix": { "inputs": { "flake-parts": [ @@ -77,6 +93,21 @@ "type": "github" } }, + "flake-compat": { + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -97,6 +128,24 @@ "type": "github" } }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "nixlib": { "locked": { "lastModified": 1712450863, @@ -172,6 +221,33 @@ "type": "github" } }, + "nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": [ + "flake-compat" + ], + "nixpkgs": [ + "nixpkgs" + ], + "utils": [ + "flake-utils" + ] + }, + "locked": { + "lastModified": 1717515088, + "narHash": "sha256-nWOLpPA7+k7V1OjXTuxdsVd5jeeI0b13Di57wvnqkic=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "0d51a32e4799d081f260eb4db37145f5f4ee7456", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, "nixpkgs": { "locked": { "lastModified": 1714314149, @@ -192,7 +268,10 @@ "inputs": { "buildbot-nix": "buildbot-nix", "clan-core": "clan-core", + "flake-compat": "flake-compat", "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs", "srvos": "srvos", "treefmt-nix": "treefmt-nix" @@ -242,6 +321,21 @@ "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index cca84d4..6115dcd 100644 --- a/flake.nix +++ b/flake.nix @@ -8,11 +8,20 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + flake-utils.url = "github:numtide/flake-utils"; + flake-compat.url = "github:edolstra/flake-compat"; flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; treefmt-nix.url = "github:numtide/treefmt-nix"; treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; + nixos-mailserver = { + url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.utils.follows = "flake-utils"; + inputs.flake-compat.follows = "flake-compat"; + }; + srvos.url = "github:numtide/srvos"; # Use the version of nixpkgs that has been tested to work with SrvOS srvos.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/flake-module.nix b/modules/flake-module.nix index 75c9140..9c57836 100644 --- a/modules/flake-module.nix +++ b/modules/flake-module.nix @@ -27,6 +27,8 @@ inputs.srvos.nixosModules.mixins-nginx inputs.srvos.nixosModules.mixins-nix-experimental ./web01 + inputs.nixos-mailserver.nixosModules.mailserver + ./mailserver.nix ]; }; } diff --git a/modules/mailserver.nix b/modules/mailserver.nix new file mode 100644 index 0000000..49034f4 --- /dev/null +++ b/modules/mailserver.nix @@ -0,0 +1,39 @@ +{ config +, pkgs +, inputs +, ... +}: +let + mailPassword = + { service }: + { + secret."${service}-password" = { }; + secret."${service}-password-hash" = { }; + generator.path = with pkgs; [ + coreutils + xkcdpass + mkpasswd + ]; + generator.script = '' + xkcdpass -n 4 -d - > $secrets/${service}-password + cat $secrets/${service}-password | mkpasswd -s -m bcrypt > $secrets/${service}-password-hash + ''; + }; +in +{ + mailserver = rec { + enable = true; + fqdn = "mail.clan.lol"; + domains = [ "clan.lol" ]; + + loginAccounts."golem@clan.lol".hashedPasswordFile = + config.clanCore.facts.services.golem-mail.secret.golem-password-hash.path; + loginAccounts."gitea@clan.lol".hashedPasswordFile = + config.clanCore.facts.services.gitea-mail.secret.gitea-password-hash.path; + }; + + security.acme.acceptTerms = true; + + clanCore.facts.services.golem-mail = mailPassword { service = "golem"; }; + clanCore.facts.services.gitea-mail = mailPassword { service = "gitea"; }; +} diff --git a/modules/web01/gitea/default.nix b/modules/web01/gitea/default.nix index edb40d5..952be76 100644 --- a/modules/web01/gitea/default.nix +++ b/modules/web01/gitea/default.nix @@ -26,13 +26,16 @@ in package = self.packages.${pkgs.hostPlatform.system}.gitea; settings.actions.ENABLED = true; + + mailerPasswordFile = config.clanCore.facts.services.gitea-mail.secret.gitea-password.path; + settings.mailer = { ENABLED = true; FROM = "gitea@clan.lol"; - SMTP_ADDR = "localhost"; - SMTP_PORT = 25; - PROTOCOL = "smtps"; + USER = "gitea@clan.lol"; + HOST = "mail.thalheim.io:587"; }; + settings.log.LEVEL = "Error"; settings.service.DISABLE_REGISTRATION = false; settings.metrics.ENABLED = true; @@ -47,6 +50,8 @@ in settings.session.COOKIE_SECURE = true; }; + sops.secrets.web01-gitea-password.owner = config.systemd.services.gitea.serviceConfig.User; + services.nginx.virtualHosts."git.clan.lol" = publog { forceSSL = true; enableACME = true; diff --git a/modules/web01/postfix.nix b/modules/web01/postfix.nix index df71ad0..5b296db 100644 --- a/modules/web01/postfix.nix +++ b/modules/web01/postfix.nix @@ -1,40 +1,41 @@ -{ config, ... }: +{ } -let - domain = "clan.lol"; -in -{ - services.opendkim.enable = true; - services.opendkim.domains = domain; - services.opendkim.selector = "v1"; - services.opendkim.user = config.services.postfix.user; - services.opendkim.group = config.services.postfix.group; - - # postfix configuration for sending emails only - services.postfix = { - enable = true; - hostname = "mail.${domain}"; - inherit domain; - - config = { - smtp_tls_note_starttls_offer = "yes"; - - smtp_dns_support_level = "dnssec"; - smtp_tls_security_level = "dane"; - - tls_medium_cipherlist = "AES128+EECDH:AES128+EDH"; - - smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination"; - mydestination = "localhost.$mydomain, localhost, $myhostname"; - myorigin = "$mydomain"; - - milter_default_action = "accept"; - milter_protocol = "6"; - smtpd_milters = "unix:/run/opendkim/opendkim.sock"; - non_smtpd_milters = "unix:/run/opendkim/opendkim.sock"; - - inet_interfaces = "loopback-only"; - inet_protocols = "all"; - }; - }; -} +#{ config, ... }: +#let +# domain = "clan.lol"; +#in +#{ +# services.opendkim.enable = true; +# services.opendkim.domains = domain; +# services.opendkim.selector = "v1"; +# services.opendkim.user = config.services.postfix.user; +# services.opendkim.group = config.services.postfix.group; +# +# # postfix configuration for sending emails only +# services.postfix = { +# enable = true; +# hostname = "mail.${domain}"; +# inherit domain; +# +# config = { +# smtp_tls_note_starttls_offer = "yes"; +# +# smtp_dns_support_level = "dnssec"; +# smtp_tls_security_level = "dane"; +# +# tls_medium_cipherlist = "AES128+EECDH:AES128+EDH"; +# +# smtpd_relay_restrictions = "permit_mynetworks permit_sasl_authenticated defer_unauth_destination"; +# mydestination = "localhost.$mydomain, localhost, $myhostname"; +# myorigin = "$mydomain"; +# +# milter_default_action = "accept"; +# milter_protocol = "6"; +# smtpd_milters = "unix:/run/opendkim/opendkim.sock"; +# non_smtpd_milters = "unix:/run/opendkim/opendkim.sock"; +# +# inet_interfaces = "loopback-only"; +# inet_protocols = "all"; +# }; +# }; +#}