refactor: add mail-01 to colmena

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-10-21 08:57:53 +02:00 · 2025-10-21 08:57:53 +02:00 · 9d5d5f447a
commit 9d5d5f447a
parent df16d13590
9 changed files with 90 additions and 148 deletions
--- a/hosts/servers/common.nix
+++ b/hosts/servers/common.nix
@ -86,6 +86,9 @@
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026"
  ];

+  security.acme.defaults.email = "landervandenbulcke@gmail.com";
+  security.acme.acceptTerms = true;
+
  nix = {
    settings = {
      trusted-users = [ "lander" ];
--- a/hosts/servers/db-01.nix
+++ b/hosts/servers/db-01.nix
@ -1,5 +1,12 @@
 { config, pkgs, ... }:
 {
+
+  systemd.network.networks."30-wan".addresses = [
+    {
+      Address = "2a01:4f8:c012:15d4::/64";
+    }
+  ];
+
  services.postgresql = {
    enable = true;
    enableTCPIP = true;
--- a/hosts/servers/hosting-02.nix
+++ b/hosts/servers/hosting-02.nix
@ -5,6 +5,13 @@
  ...
 }:
 {
+
+  systemd.network.networks."30-wan".addresses = [
+    {
+      Address = "2a01:4f8:c013:7fc0::/64";
+    }
+  ];
+
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
@ -146,8 +153,5 @@
    };
  };

-  security.acme.defaults.email = "landervandenbulcke@gmail.com";
-  security.acme.acceptTerms = true;
-
  system.stateVersion = "25.05";
 }
--- a/hosts/servers/mail-01.nix
+++ b/hosts/servers/mail-01.nix
@ -0,0 +1,83 @@
+{ inputs, config, ... }:
+let
+  floatingIPv4 = "78.47.245.200";
+in
+{
+  systemd.network.networks."30-wan".addresses = [
+    {
+      Address = "${floatingIPv4}/32";
+    }
+    {
+      Address = "2a01:4f8:c012:976d::/64";
+    }
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.escapeangle.com";
+    domains = [ "escapeangle.com" ];
+
+    loginAccounts = {
+      "lander@escapeangle.com" = {
+        hashedPasswordFile = config.sops.secrets.mail-password-lander.path;
+
+        aliases = [
+          "postmaster@escapeangle.com"
+        ];
+
+        catchAll = [
+          "escapeangle.com"
+        ];
+      };
+
+      "authelia@escapeangle.com" = {
+        hashedPasswordFile = config.sops.secrets.mail-password-authelia.path;
+      };
+
+      "forgejo@escapeangle.com" = {
+        hashedPasswordFile = config.sops.secrets.mail-password-forgejo.path;
+      };
+    };
+
+    extraVirtualAliases = {
+      "abuse@escapeangle.com" = "lander@escapeangle.com";
+    };
+
+    certificateScheme = "acme-nginx";
+
+    enableImap = true;
+    enableImapSsl = true;
+
+    enableManageSieve = true;
+
+    virusScanning = true;
+  };
+
+  services.postfix.config = {
+    "smtp_bind_address" = floatingIPv4;
+  };
+
+  sops = {
+    defaultSopsFile = ./mail-01.yaml;
+    validateSopsFiles = false;
+
+    secrets = {
+      mail-password-lander = {
+        owner = "root";
+        group = "root";
+      };
+
+      mail-password-authelia = {
+        owner = "root";
+        group = "root";
+      };
+
+      mail-password-forgejo = {
+        owner = "root";
+        group = "root";
+      };
+    };
+  };
+
+  system.stateVersion = "24.11";
+}
--- a/hosts/servers/mail-01.yaml
+++ b/hosts/servers/mail-01.yaml
@ -0,0 +1,30 @@
+mail-password-lander: ENC[AES256_GCM,data:eSsuEoAyIAL41qCD9SoqwqPsgkYM43Dp/OEatNZ42ocv5neVXBk2QyIYmZWp48vUwBOUwhzTVvV8yZov,iv:AKoosg/0Zf3OkhTiEJQkFjnG6JuQL7EdoUEmEIzsSjE=,tag:jQtTk6kQdYXqYNDDWss8Ig==,type:str]
+mail-password-authelia: ENC[AES256_GCM,data:JCSPMP2DMFeb7fdBbkLhj35A3C6h4PmHSKgIuRrrfVlLPHXA+FyhQrl8P3hxdrFiFB1vr+G4ftOcoeZa,iv:Vk1xWJNrETCBKLqijE+Ftc7+hOg5u7KdcdqngIq9ZCE=,tag:pNubO1GLaiegRLAkU6rw4Q==,type:str]
+mail-password-forgejo: ENC[AES256_GCM,data:8BQcs6getbwXLvSTJ+j5j1XyS54qa9XMsyVvGaRocNUIgNnjhGndOVtEa2HfdXouIspbBP2rEY/yWRQj,iv:H87iJeDxR5n1VcdCtvVe29VJbvB2xfZE/DyIsl8pzzY=,tag:kIWsl2Rh0If1/8E22qf2BA==,type:str]
+sops:
+    age:
+        - recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWFSZnBDcHk2YkZ1SUlx
+            aTBMZXdDajlGY3diUlRJcElJN3Z2T1B6M25rClFHVS9yU1NyZTl1L21QaVFiNmtR
+            V1liS3NWVERzcGpBclk0SHZaOEVZOTgKLS0tIHZKckRDaDd3ajFNQWw4cUNPeElx
+            MjI1UTlRRXdVaE5oSHBVRy9hcFNESzAKhdgGeeLl+BhslAFJmChAy7Ht+CPmZQqo
+            0Km8AGCKAmOQWEym0yRW/rKp35sOla4PQ4JWGlthNhcqyR2Kd916OQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-21T06:31:39Z"
+    mac: ENC[AES256_GCM,data:MT21zzC32cJBRZD0VYqdY5bI3MvgUh2Xttn5VUhp00T/s7oK8BipfL8gbsmTMM0rCyKgJmWKN8b3Xcw0uc71KK8aiZVyV/By/ppN/mbkGSMmQnr7dKTnNL0FeJ/pG6SbnbH9XpMTGaGlanVt7k/WtYTRHZVqV10+oiHWFhZGpAc=,iv:GgsDIbyQ7QMZf48qKGoGGQsvJO8P9Q1l4v9YK13O+s4=,tag:h0XNVd8GB/Dzdl2EKpeCAA==,type:str]
+    pgp:
+        - created_at: "2025-10-21T06:31:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DARdpY4woM6wSAQdA/Ndn97s0tXWWExKKZS97MBYSoUlgJNysXtHWVMWBfRsw
+            NtHXaGCHfWTTfVYyM4gZ3uIGdxAJSKafac54AgttzP/XOObv4bkE94eWSdFhwK2a
+            0l4BqfqGy3OQmwuwbKjrZJ1HpQ7YvyDdwuHgG+t5fXc7g46DYgn6XkYVVY+nGas2
+            o6HxRApdHgXu0V8d9bcZtXaJXBjSW0RllTT5zeHX7kTqtFR9cg7hsggbvrbkqcmN
+            =xqTz
+            -----END PGP MESSAGE-----
+          fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0