lander/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: add mail-01 to colmena

Browse source 
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
This commit is contained in:
Lander Van den Bulcke 2025-10-21 08:57:53 +02:00
parent df16d13590
commit 9d5d5f447a
Signed by: lander
GPG key ID: 0142722B4B0C536F
9 changed files with 90 additions and 148 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -70,6 +70,12 @@ creation_rules:
- *hosting-02 - *hosting-02
pgp: pgp:
- *lander - *lander
- path_regex: hosts/servers/mail-01.yaml$
key_groups:
- age:
- *mail-01
pgp:
- *lander
- path_regex: hosts/mail-01/secrets.yam?l$ - path_regex: hosts/mail-01/secrets.yam?l$
key_groups: key_groups:
- age: - age:

30
flake.nix
View file

@ -160,9 +160,6 @@
}; };
# servers # servers
db-01 = hetzner.mkMachine "db-01" {
ipv6Address = "2a01:4f8:c012:15d4::/64";
};
hosting-01 = nixpkgs.lib.nixosSystem { hosting-01 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
specialArgs = { inherit inputs outputs; }; specialArgs = { inherit inputs outputs; };
@ -170,16 +167,6 @@
./hosts/hosting-01 ./hosts/hosting-01
]; ];
}; };
hosting-02 = hetzner.mkMachine "hosting-02" {
ipv6Address = "2a01:4f8:c013:7fc0::/64";
};
mail-01 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit inputs outputs; };
modules = [
./hosts/mail-01
];
};
}; };
colmenaHive = colmenaHive =
@ -200,6 +187,7 @@
{ {
imports = [ imports = [
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
inputs.nixos-mailserver.nixosModules.mailserver
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
nixosModules.bandcamp-collection-downloader nixosModules.bandcamp-collection-downloader
nixosModules.namespaced-vpn nixosModules.namespaced-vpn
@ -212,12 +200,16 @@
machineConfig machineConfig
]; ];
deployment = { deployment =
targetHost = "${name}.escapeangle.com"; let
targetPort = 22; hostname = if name == "mail-01" then "mail" else name;
targetUser = "root"; in
buildOnTarget = true; {
}; targetHost = "${hostname}.escapeangle.com";
targetPort = 22;
targetUser = "root";
buildOnTarget = true;
};
} }
); );
in in

52
hosts/mail-01/disk-config.nix
View file

@ -1,52 +0,0 @@
{
lib,
disks ? [ "/dev/sda" ],
...
}:
{
disko.devices = {
disk = lib.genAttrs disks (disk: {
device = disk;
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "256M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
main = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # override existing partition
subvolumes = {
"/" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/";
};
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
"/nix" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/nix";
};
};
};
};
};
};
});
};
}

30
hosts/mail-01/secrets.yaml
View file

@ -1,30 +0,0 @@
mail-password-lander: ENC[AES256_GCM,data:6A0pw04sdzAAE2dakrGt68OkYzMFzeY1fKBAAIcO6PF1Sbna+6JbdIjikuN7ucdEGC+cPBpHNaWM8ZuZ,iv:LC4WSSAWW4uEFGHiDiZG5Q1mQgQnp28WngFyE4sECI8=,tag:gcDe1+PX9Zbe7Uu6RXJ8Ng==,type:str]
mail-password-authelia: ENC[AES256_GCM,data:pbI48v40B8Sehrl28HuZKEdw0nK4pmn7O8FveQzCh/C5+kkbg1QBG6facY58+mvsHXJ5pBZNfPp9uAV9,iv:zZkwl+dDzY0ynun0Pgm5lVB+YZIGFnGr/nNTRE9IgHc=,tag:KmuBl1E8/80yvzP9IAGlnw==,type:str]
mail-password-forgejo: ENC[AES256_GCM,data:arHdupQdSSJgVzcjJdYZ3gB51VfdABk8VNa9tuc9ayerfoOCPn7ydt8eS/qg7XX5fKsH+/5h4q9N/Etw,iv:cc+mqg0ETTikuwXC/i8vKea2k7Ph9Dx7fQOb2iHAOk8=,tag:/bxU7tArkKtv33HPeyxauA==,type:str]
sops:
age:
- recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUXBtSzJiYXhZMStON3dj
MTlXdE5BaVRWalAzUDBxRWpDT3dWTmRLNFVnCnN0cGc3Qkt5YXRTTHJCaGVIQjgw
NVozQzZDTE5TNUpsa3cyVU9mNEdWOUEKLS0tIG1FWkkrQ0s1TlV1VkIxR2RjRXFw
bG9hd3RXaERsYU5RaCtiOVYrcFlvam8Ky3iq96BO4uMiYLpZ903UCJYfByQIMtI5
YNDVMgIqVI9vVDq1BnPqyOssHJ7FO69i+BUSSrjqZKsyAjknqPmvoA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-08T10:48:10Z"
mac: ENC[AES256_GCM,data:8BkeK7uMlWWulKvr1aEcKDpDsHntIVTIz37qePaSSby3zOVu6agc4VwNVNk4tbCLvuXJS+ULPUltkAfh9qffsFJe5X+Jd7ZnvEd5IBMJGdWDDtP1iYSMgga9aYfl/hE030xSo6Utblprf2KGw+KpHEeCViFvU6+oJFqTB/Vwekc=,iv:97YBIUh9HjLIwoGFB1oDiLC6OqwRK1POeksDxE+Ierc=,tag:ZBBb4k5tJdqI/HcZCfKoLg==,type:str]
pgp:
- created_at: "2025-01-17T23:46:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DARdpY4woM6wSAQdAKAJEIw16NdGquumUwVQeZeHWaQixvg6z/BiWYhkdmRAw
U7r4y86ZTf/Am1D+N+mMSZTWB0ncKjgfS8nzvHyFKHUkBMmJhIwtVNxlIoWe4+xc
0l4BC+s5Mk8rhkofbq+fw6k5dwVF5HxqE7o9JK9ntbOkyHGsblQd9PsIyvr6pXt+
Edllt9Ol/oJC+T+Sv3O2Y21y9ZzNJoleGv7UaFvgQ1+9nksYTbYRHLGh7w0B+xSH
=YYVU
-----END PGP MESSAGE-----
fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
unencrypted_suffix: _unencrypted
version: 3.10.2

3
hosts/servers/common.nix
View file

@ -86,6 +86,9 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnthKtz0fE4yQ/X10cJgKVCjYCNkRNoqV28xAhD7h2M cardno:22_498_026"
]; ];
security.acme.defaults.email = "landervandenbulcke@gmail.com";
security.acme.acceptTerms = true;
nix = { nix = {
settings = { settings = {
trusted-users = [ "lander" ]; trusted-users = [ "lander" ];

7
hosts/servers/db-01.nix
View file

@ -1,5 +1,12 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
systemd.network.networks."30-wan".addresses = [
{
Address = "2a01:4f8:c012:15d4::/64";
}
];
services.postgresql = { services.postgresql = {
enable = true; enable = true;
enableTCPIP = true; enableTCPIP = true;

10
hosts/servers/hosting-02.nix
View file

@ -5,6 +5,13 @@
... ...
}: }:
{ {
systemd.network.networks."30-wan".addresses = [
{
Address = "2a01:4f8:c013:7fc0::/64";
}
];
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
@ -146,8 +153,5 @@
}; };
}; };
security.acme.defaults.email = "landervandenbulcke@gmail.com";
security.acme.acceptTerms = true;
system.stateVersion = "25.05"; system.stateVersion = "25.05";
} }

70
hosts/mail-01/default.nix → hosts/servers/mail-01.nix
View file

@ -3,53 +3,16 @@ let
floatingIPv4 = "78.47.245.200"; floatingIPv4 = "78.47.245.200";
in in
{ {
imports = [ systemd.network.networks."30-wan".addresses = [
./disk-config.nix
{ {
_module.args.disks = [ "/dev/sda" ]; Address = "${floatingIPv4}/32";
}
{
Address = "2a01:4f8:c012:976d::/64";
} }
inputs.nixos-mailserver.nixosModules.mailserver
../common/servers
]; ];
time.timeZone = "Europe/Berlin";
networking.hostName = "mail-01";
networking.interfaces.enp1s0 = {
ipv4.addresses = [
{
address = floatingIPv4;
prefixLength = 32;
}
];
};
networking.defaultGateway = {
address = "172.31.1.1";
interface = "enp1s0";
};
networking.nameservers = [ "8.8.8.8" ];
sops.secrets.mail-password-lander = {
owner = "root";
group = "root";
sopsFile = ./secrets.yaml;
};
sops.secrets.mail-password-authelia = {
owner = "root";
group = "root";
sopsFile = ./secrets.yaml;
};
sops.secrets.mail-password-forgejo = {
owner = "root";
group = "root";
sopsFile = ./secrets.yaml;
};
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = "mail.escapeangle.com"; fqdn = "mail.escapeangle.com";
domains = [ "escapeangle.com" ]; domains = [ "escapeangle.com" ];
@ -94,8 +57,27 @@ in
"smtp_bind_address" = floatingIPv4; "smtp_bind_address" = floatingIPv4;
}; };
security.acme.defaults.email = "landervandenbulcke@gmail.com"; sops = {
security.acme.acceptTerms = true; defaultSopsFile = ./mail-01.yaml;
validateSopsFiles = false;
secrets = {
mail-password-lander = {
owner = "root";
group = "root";
};
mail-password-authelia = {
owner = "root";
group = "root";
};
mail-password-forgejo = {
owner = "root";
group = "root";
};
};
};
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

30
hosts/servers/mail-01.yaml Normal file
View file

@ -0,0 +1,30 @@
mail-password-lander: ENC[AES256_GCM,data:eSsuEoAyIAL41qCD9SoqwqPsgkYM43Dp/OEatNZ42ocv5neVXBk2QyIYmZWp48vUwBOUwhzTVvV8yZov,iv:AKoosg/0Zf3OkhTiEJQkFjnG6JuQL7EdoUEmEIzsSjE=,tag:jQtTk6kQdYXqYNDDWss8Ig==,type:str]
mail-password-authelia: ENC[AES256_GCM,data:JCSPMP2DMFeb7fdBbkLhj35A3C6h4PmHSKgIuRrrfVlLPHXA+FyhQrl8P3hxdrFiFB1vr+G4ftOcoeZa,iv:Vk1xWJNrETCBKLqijE+Ftc7+hOg5u7KdcdqngIq9ZCE=,tag:pNubO1GLaiegRLAkU6rw4Q==,type:str]
mail-password-forgejo: ENC[AES256_GCM,data:8BQcs6getbwXLvSTJ+j5j1XyS54qa9XMsyVvGaRocNUIgNnjhGndOVtEa2HfdXouIspbBP2rEY/yWRQj,iv:H87iJeDxR5n1VcdCtvVe29VJbvB2xfZE/DyIsl8pzzY=,tag:kIWsl2Rh0If1/8E22qf2BA==,type:str]
sops:
age:
- recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWFSZnBDcHk2YkZ1SUlx
aTBMZXdDajlGY3diUlRJcElJN3Z2T1B6M25rClFHVS9yU1NyZTl1L21QaVFiNmtR
V1liS3NWVERzcGpBclk0SHZaOEVZOTgKLS0tIHZKckRDaDd3ajFNQWw4cUNPeElx
MjI1UTlRRXdVaE5oSHBVRy9hcFNESzAKhdgGeeLl+BhslAFJmChAy7Ht+CPmZQqo
0Km8AGCKAmOQWEym0yRW/rKp35sOla4PQ4JWGlthNhcqyR2Kd916OQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-21T06:31:39Z"
mac: ENC[AES256_GCM,data:MT21zzC32cJBRZD0VYqdY5bI3MvgUh2Xttn5VUhp00T/s7oK8BipfL8gbsmTMM0rCyKgJmWKN8b3Xcw0uc71KK8aiZVyV/By/ppN/mbkGSMmQnr7dKTnNL0FeJ/pG6SbnbH9XpMTGaGlanVt7k/WtYTRHZVqV10+oiHWFhZGpAc=,iv:GgsDIbyQ7QMZf48qKGoGGQsvJO8P9Q1l4v9YK13O+s4=,tag:h0XNVd8GB/Dzdl2EKpeCAA==,type:str]
pgp:
- created_at: "2025-10-21T06:31:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DARdpY4woM6wSAQdA/Ndn97s0tXWWExKKZS97MBYSoUlgJNysXtHWVMWBfRsw
NtHXaGCHfWTTfVYyM4gZ3uIGdxAJSKafac54AgttzP/XOObv4bkE94eWSdFhwK2a
0l4BqfqGy3OQmwuwbKjrZJ1HpQ7YvyDdwuHgG+t5fXc7g46DYgn6XkYVVY+nGas2
o6HxRApdHgXu0V8d9bcZtXaJXBjSW0RllTT5zeHX7kTqtFR9cg7hsggbvrbkqcmN
=xqTz
-----END PGP MESSAGE-----
fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
unencrypted_suffix: _unencrypted
version: 3.11.0