From 9d5d5f447ae17c72b4d801e3502afea31a846f2f Mon Sep 17 00:00:00 2001 From: Lander Van den Bulcke Date: Tue, 21 Oct 2025 08:57:53 +0200 Subject: [PATCH] refactor: add mail-01 to colmena Signed-off-by: Lander Van den Bulcke --- .sops.yaml | 6 ++ flake.nix | 30 +++----- hosts/mail-01/disk-config.nix | 52 -------------- hosts/mail-01/secrets.yaml | 30 -------- hosts/servers/common.nix | 3 + hosts/servers/db-01.nix | 7 ++ hosts/servers/hosting-02.nix | 10 ++- .../default.nix => servers/mail-01.nix} | 70 +++++++------------ hosts/servers/mail-01.yaml | 30 ++++++++ 9 files changed, 90 insertions(+), 148 deletions(-) delete mode 100644 hosts/mail-01/disk-config.nix delete mode 100644 hosts/mail-01/secrets.yaml rename hosts/{mail-01/default.nix => servers/mail-01.nix} (53%) create mode 100644 hosts/servers/mail-01.yaml diff --git a/.sops.yaml b/.sops.yaml index 6b4f967..bd8509c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -70,6 +70,12 @@ creation_rules: - *hosting-02 pgp: - *lander + - path_regex: hosts/servers/mail-01.yaml$ + key_groups: + - age: + - *mail-01 + pgp: + - *lander - path_regex: hosts/mail-01/secrets.yam?l$ key_groups: - age: diff --git a/flake.nix b/flake.nix index c45e74c..fbca8d1 100644 --- a/flake.nix +++ b/flake.nix @@ -160,9 +160,6 @@ }; # servers - db-01 = hetzner.mkMachine "db-01" { - ipv6Address = "2a01:4f8:c012:15d4::/64"; - }; hosting-01 = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; specialArgs = { inherit inputs outputs; }; @@ -170,16 +167,6 @@ ./hosts/hosting-01 ]; }; - hosting-02 = hetzner.mkMachine "hosting-02" { - ipv6Address = "2a01:4f8:c013:7fc0::/64"; - }; - mail-01 = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/mail-01 - ]; - }; }; colmenaHive = @@ -200,6 +187,7 @@ { imports = [ inputs.disko.nixosModules.disko + inputs.nixos-mailserver.nixosModules.mailserver inputs.sops-nix.nixosModules.sops nixosModules.bandcamp-collection-downloader nixosModules.namespaced-vpn @@ -212,12 +200,16 @@ machineConfig ]; - deployment = { - targetHost = "${name}.escapeangle.com"; - targetPort = 22; - targetUser = "root"; - buildOnTarget = true; - }; + deployment = + let + hostname = if name == "mail-01" then "mail" else name; + in + { + targetHost = "${hostname}.escapeangle.com"; + targetPort = 22; + targetUser = "root"; + buildOnTarget = true; + }; } ); in diff --git a/hosts/mail-01/disk-config.nix b/hosts/mail-01/disk-config.nix deleted file mode 100644 index aa2e1fa..0000000 --- a/hosts/mail-01/disk-config.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - lib, - disks ? [ "/dev/sda" ], - ... -}: -{ - disko.devices = { - disk = lib.genAttrs disks (disk: { - device = disk; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - name = "boot"; - size = "256M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - main = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # override existing partition - subvolumes = { - "/" = { - mountOptions = [ "compress=zstd" ]; - mountpoint = "/"; - }; - "/home" = { - mountOptions = [ "compress=zstd" ]; - mountpoint = "/home"; - }; - "/nix" = { - mountOptions = [ - "compress=zstd" - "noatime" - ]; - mountpoint = "/nix"; - }; - }; - }; - }; - }; - }; - }); - }; -} diff --git a/hosts/mail-01/secrets.yaml b/hosts/mail-01/secrets.yaml deleted file mode 100644 index d36843c..0000000 --- a/hosts/mail-01/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -mail-password-lander: ENC[AES256_GCM,data:6A0pw04sdzAAE2dakrGt68OkYzMFzeY1fKBAAIcO6PF1Sbna+6JbdIjikuN7ucdEGC+cPBpHNaWM8ZuZ,iv:LC4WSSAWW4uEFGHiDiZG5Q1mQgQnp28WngFyE4sECI8=,tag:gcDe1+PX9Zbe7Uu6RXJ8Ng==,type:str] -mail-password-authelia: ENC[AES256_GCM,data:pbI48v40B8Sehrl28HuZKEdw0nK4pmn7O8FveQzCh/C5+kkbg1QBG6facY58+mvsHXJ5pBZNfPp9uAV9,iv:zZkwl+dDzY0ynun0Pgm5lVB+YZIGFnGr/nNTRE9IgHc=,tag:KmuBl1E8/80yvzP9IAGlnw==,type:str] -mail-password-forgejo: ENC[AES256_GCM,data:arHdupQdSSJgVzcjJdYZ3gB51VfdABk8VNa9tuc9ayerfoOCPn7ydt8eS/qg7XX5fKsH+/5h4q9N/Etw,iv:cc+mqg0ETTikuwXC/i8vKea2k7Ph9Dx7fQOb2iHAOk8=,tag:/bxU7tArkKtv33HPeyxauA==,type:str] -sops: - age: - - recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUXBtSzJiYXhZMStON3dj - MTlXdE5BaVRWalAzUDBxRWpDT3dWTmRLNFVnCnN0cGc3Qkt5YXRTTHJCaGVIQjgw - NVozQzZDTE5TNUpsa3cyVU9mNEdWOUEKLS0tIG1FWkkrQ0s1TlV1VkIxR2RjRXFw - bG9hd3RXaERsYU5RaCtiOVYrcFlvam8Ky3iq96BO4uMiYLpZ903UCJYfByQIMtI5 - YNDVMgIqVI9vVDq1BnPqyOssHJ7FO69i+BUSSrjqZKsyAjknqPmvoA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-08T10:48:10Z" - mac: ENC[AES256_GCM,data:8BkeK7uMlWWulKvr1aEcKDpDsHntIVTIz37qePaSSby3zOVu6agc4VwNVNk4tbCLvuXJS+ULPUltkAfh9qffsFJe5X+Jd7ZnvEd5IBMJGdWDDtP1iYSMgga9aYfl/hE030xSo6Utblprf2KGw+KpHEeCViFvU6+oJFqTB/Vwekc=,iv:97YBIUh9HjLIwoGFB1oDiLC6OqwRK1POeksDxE+Ierc=,tag:ZBBb4k5tJdqI/HcZCfKoLg==,type:str] - pgp: - - created_at: "2025-01-17T23:46:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DARdpY4woM6wSAQdAKAJEIw16NdGquumUwVQeZeHWaQixvg6z/BiWYhkdmRAw - U7r4y86ZTf/Am1D+N+mMSZTWB0ncKjgfS8nzvHyFKHUkBMmJhIwtVNxlIoWe4+xc - 0l4BC+s5Mk8rhkofbq+fw6k5dwVF5HxqE7o9JK9ntbOkyHGsblQd9PsIyvr6pXt+ - Edllt9Ol/oJC+T+Sv3O2Y21y9ZzNJoleGv7UaFvgQ1+9nksYTbYRHLGh7w0B+xSH - =YYVU - -----END PGP MESSAGE----- - fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/hosts/servers/common.nix b/hosts/servers/common.nix index 26590f1..87e9701 100644 --- a/hosts/servers/common.nix +++ b/hosts/servers/common.nix @@ -86,6 +86,9 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026" ]; + security.acme.defaults.email = "landervandenbulcke@gmail.com"; + security.acme.acceptTerms = true; + nix = { settings = { trusted-users = [ "lander" ]; diff --git a/hosts/servers/db-01.nix b/hosts/servers/db-01.nix index b22f2b8..5bbd2c5 100644 --- a/hosts/servers/db-01.nix +++ b/hosts/servers/db-01.nix @@ -1,5 +1,12 @@ { config, pkgs, ... }: { + + systemd.network.networks."30-wan".addresses = [ + { + Address = "2a01:4f8:c012:15d4::/64"; + } + ]; + services.postgresql = { enable = true; enableTCPIP = true; diff --git a/hosts/servers/hosting-02.nix b/hosts/servers/hosting-02.nix index 25d8374..603c55d 100644 --- a/hosts/servers/hosting-02.nix +++ b/hosts/servers/hosting-02.nix @@ -5,6 +5,13 @@ ... }: { + + systemd.network.networks."30-wan".addresses = [ + { + Address = "2a01:4f8:c013:7fc0::/64"; + } + ]; + networking.firewall = { enable = true; allowedTCPPorts = [ @@ -146,8 +153,5 @@ }; }; - security.acme.defaults.email = "landervandenbulcke@gmail.com"; - security.acme.acceptTerms = true; - system.stateVersion = "25.05"; } diff --git a/hosts/mail-01/default.nix b/hosts/servers/mail-01.nix similarity index 53% rename from hosts/mail-01/default.nix rename to hosts/servers/mail-01.nix index 51384ef..85327b3 100644 --- a/hosts/mail-01/default.nix +++ b/hosts/servers/mail-01.nix @@ -3,53 +3,16 @@ let floatingIPv4 = "78.47.245.200"; in { - imports = [ - ./disk-config.nix + systemd.network.networks."30-wan".addresses = [ { - _module.args.disks = [ "/dev/sda" ]; + Address = "${floatingIPv4}/32"; + } + { + Address = "2a01:4f8:c012:976d::/64"; } - - inputs.nixos-mailserver.nixosModules.mailserver - - ../common/servers ]; - time.timeZone = "Europe/Berlin"; - - networking.hostName = "mail-01"; - networking.interfaces.enp1s0 = { - ipv4.addresses = [ - { - address = floatingIPv4; - prefixLength = 32; - } - ]; - }; - networking.defaultGateway = { - address = "172.31.1.1"; - interface = "enp1s0"; - }; - networking.nameservers = [ "8.8.8.8" ]; - - sops.secrets.mail-password-lander = { - owner = "root"; - group = "root"; - sopsFile = ./secrets.yaml; - }; - - sops.secrets.mail-password-authelia = { - owner = "root"; - group = "root"; - sopsFile = ./secrets.yaml; - }; - - sops.secrets.mail-password-forgejo = { - owner = "root"; - group = "root"; - sopsFile = ./secrets.yaml; - }; mailserver = { - enable = true; fqdn = "mail.escapeangle.com"; domains = [ "escapeangle.com" ]; @@ -94,8 +57,27 @@ in "smtp_bind_address" = floatingIPv4; }; - security.acme.defaults.email = "landervandenbulcke@gmail.com"; - security.acme.acceptTerms = true; + sops = { + defaultSopsFile = ./mail-01.yaml; + validateSopsFiles = false; + + secrets = { + mail-password-lander = { + owner = "root"; + group = "root"; + }; + + mail-password-authelia = { + owner = "root"; + group = "root"; + }; + + mail-password-forgejo = { + owner = "root"; + group = "root"; + }; + }; + }; system.stateVersion = "24.11"; } diff --git a/hosts/servers/mail-01.yaml b/hosts/servers/mail-01.yaml new file mode 100644 index 0000000..bae9069 --- /dev/null +++ b/hosts/servers/mail-01.yaml @@ -0,0 +1,30 @@ +mail-password-lander: ENC[AES256_GCM,data:eSsuEoAyIAL41qCD9SoqwqPsgkYM43Dp/OEatNZ42ocv5neVXBk2QyIYmZWp48vUwBOUwhzTVvV8yZov,iv:AKoosg/0Zf3OkhTiEJQkFjnG6JuQL7EdoUEmEIzsSjE=,tag:jQtTk6kQdYXqYNDDWss8Ig==,type:str] +mail-password-authelia: ENC[AES256_GCM,data:JCSPMP2DMFeb7fdBbkLhj35A3C6h4PmHSKgIuRrrfVlLPHXA+FyhQrl8P3hxdrFiFB1vr+G4ftOcoeZa,iv:Vk1xWJNrETCBKLqijE+Ftc7+hOg5u7KdcdqngIq9ZCE=,tag:pNubO1GLaiegRLAkU6rw4Q==,type:str] +mail-password-forgejo: ENC[AES256_GCM,data:8BQcs6getbwXLvSTJ+j5j1XyS54qa9XMsyVvGaRocNUIgNnjhGndOVtEa2HfdXouIspbBP2rEY/yWRQj,iv:H87iJeDxR5n1VcdCtvVe29VJbvB2xfZE/DyIsl8pzzY=,tag:kIWsl2Rh0If1/8E22qf2BA==,type:str] +sops: + age: + - recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWFSZnBDcHk2YkZ1SUlx + aTBMZXdDajlGY3diUlRJcElJN3Z2T1B6M25rClFHVS9yU1NyZTl1L21QaVFiNmtR + V1liS3NWVERzcGpBclk0SHZaOEVZOTgKLS0tIHZKckRDaDd3ajFNQWw4cUNPeElx + MjI1UTlRRXdVaE5oSHBVRy9hcFNESzAKhdgGeeLl+BhslAFJmChAy7Ht+CPmZQqo + 0Km8AGCKAmOQWEym0yRW/rKp35sOla4PQ4JWGlthNhcqyR2Kd916OQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-21T06:31:39Z" + mac: ENC[AES256_GCM,data:MT21zzC32cJBRZD0VYqdY5bI3MvgUh2Xttn5VUhp00T/s7oK8BipfL8gbsmTMM0rCyKgJmWKN8b3Xcw0uc71KK8aiZVyV/By/ppN/mbkGSMmQnr7dKTnNL0FeJ/pG6SbnbH9XpMTGaGlanVt7k/WtYTRHZVqV10+oiHWFhZGpAc=,iv:GgsDIbyQ7QMZf48qKGoGGQsvJO8P9Q1l4v9YK13O+s4=,tag:h0XNVd8GB/Dzdl2EKpeCAA==,type:str] + pgp: + - created_at: "2025-10-21T06:31:32Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DARdpY4woM6wSAQdA/Ndn97s0tXWWExKKZS97MBYSoUlgJNysXtHWVMWBfRsw + NtHXaGCHfWTTfVYyM4gZ3uIGdxAJSKafac54AgttzP/XOObv4bkE94eWSdFhwK2a + 0l4BqfqGy3OQmwuwbKjrZJ1HpQ7YvyDdwuHgG+t5fXc7g46DYgn6XkYVVY+nGas2 + o6HxRApdHgXu0V8d9bcZtXaJXBjSW0RllTT5zeHX7kTqtFR9cg7hsggbvrbkqcmN + =xqTz + -----END PGP MESSAGE----- + fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 + unencrypted_suffix: _unencrypted + version: 3.11.0