From ccde7ba7030c78a5f68335496886a88526e08dce Mon Sep 17 00:00:00 2001 From: Lander Van den Bulcke Date: Thu, 16 Jan 2025 18:16:36 +0100 Subject: [PATCH] feat: add mailserver Signed-off-by: Lander Van den Bulcke --- .sops.yaml | 14 +++- flake.lock | 78 +++++++++++++++++- flake.nix | 12 ++- hosts/{cloud-1 => common/servers}/default.nix | 12 +-- hosts/{cloud-1 => common/servers}/hetzner.nix | 0 hosts/mail-01/default.nix | 81 +++++++++++++++++++ hosts/{cloud-1 => mail-01}/disk-config.nix | 0 hosts/mail-01/secrets.yaml | 32 ++++++++ hosts/wodan/default.nix | 2 + 9 files changed, 212 insertions(+), 19 deletions(-) rename hosts/{cloud-1 => common/servers}/default.nix (85%) rename hosts/{cloud-1 => common/servers}/hetzner.nix (100%) create mode 100644 hosts/mail-01/default.nix rename hosts/{cloud-1 => mail-01}/disk-config.nix (100%) create mode 100644 hosts/mail-01/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 4912d0e..9d48334 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,8 +1,7 @@ keys: - - &users: - - &lander 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 - - &hosts: - - &wodan age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh + - &lander 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 + - &wodan age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh + - &mail-01 age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza creation_rules: - path_regex: hosts/common/global/secrets.yam?l$ @@ -17,8 +16,15 @@ creation_rules: - *wodan pgp: - *lander + - path_regex: hosts/mail-01/secrets.yam?l$ + key_groups: + - age: + - *mail-01 + pgp: + - *lander - path_regex: home/lander/global/secrets.yam?l$ key_groups: - age: - *wodan pgp: + - *lander diff --git a/flake.lock b/flake.lock index e4ba8f9..b494c2d 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,21 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "catppuccin": { "inputs": { "catppuccin-v1_1": "catppuccin-v1_1", @@ -95,6 +111,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "locked": { "lastModified": 1696426674, "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", @@ -108,7 +140,7 @@ "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1696426674, @@ -439,6 +471,30 @@ "type": "github" } }, + "nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-24_11": "nixpkgs-24_11" + }, + "locked": { + "lastModified": 1734884447, + "narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "63209b1def2c9fc891ad271f474a3464a5833294", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-24.11", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, "nixpkgs": { "locked": { "lastModified": 1734424634, @@ -455,6 +511,21 @@ "type": "github" } }, + "nixpkgs-24_11": { + "locked": { + "lastModified": 1734083684, + "narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.11", + "type": "indirect" + } + }, "nixpkgs-lib": { "locked": { "lastModified": 1735774519, @@ -571,7 +642,7 @@ "nixvim_2": { "inputs": { "devshell": "devshell", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-parts": "flake-parts_2", "git-hooks": "git-hooks", "home-manager": "home-manager_3", @@ -643,7 +714,7 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "gitignore": "gitignore_2", "nixpkgs": "nixpkgs_5" }, @@ -666,6 +737,7 @@ "catppuccin": "catppuccin", "disko": "disko", "home-manager": "home-manager_2", + "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs_2", "nixvim": "nixvim", "sops-nix": "sops-nix" diff --git a/flake.nix b/flake.nix index 20a438c..ca7302c 100644 --- a/flake.nix +++ b/flake.nix @@ -24,6 +24,14 @@ # neovim nixvim.url = "git+https://codeberg.org/landervdb/nixvim.git"; + + # mailserver + nixos-mailserver = { + url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11"; + inputs = { + nixpkgs.follows = "nixpkgs"; + }; + }; }; outputs = @@ -52,11 +60,11 @@ }; # servers - cloud-1 = nixpkgs.lib.nixosSystem { + mail-01 = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; specialArgs = { inherit inputs outputs; }; modules = [ - ./hosts/cloud-1 + ./hosts/mail-01 ]; }; }; diff --git a/hosts/cloud-1/default.nix b/hosts/common/servers/default.nix similarity index 85% rename from hosts/cloud-1/default.nix rename to hosts/common/servers/default.nix index ab84e05..7811bce 100644 --- a/hosts/cloud-1/default.nix +++ b/hosts/common/servers/default.nix @@ -3,17 +3,11 @@ imports = [ inputs.disko.nixosModules.disko - ./disk-config.nix - { - _module.args.disks = [ "/dev/sda" ]; - } + ../global/sops.nix + ./hetzner.nix ]; - time.timeZone = "Europe/Helsinki"; - - networking.hostName = "cloud-1"; - programs.zsh.enable = true; environment.pathsToLink = [ "/share/zsh" ]; environment.shells = [ pkgs.zsh ]; @@ -59,6 +53,4 @@ options = "--delete-older-than 7d"; }; }; - - system.stateVersion = "24.11"; } diff --git a/hosts/cloud-1/hetzner.nix b/hosts/common/servers/hetzner.nix similarity index 100% rename from hosts/cloud-1/hetzner.nix rename to hosts/common/servers/hetzner.nix diff --git a/hosts/mail-01/default.nix b/hosts/mail-01/default.nix new file mode 100644 index 0000000..669e6ad --- /dev/null +++ b/hosts/mail-01/default.nix @@ -0,0 +1,81 @@ +{ inputs, config, ... }: +let + floatingIPv4 = "78.47.245.200"; +in +{ + imports = [ + ./disk-config.nix + { + _module.args.disks = [ "/dev/sda" ]; + } + + inputs.nixos-mailserver.nixosModules.mailserver + + ../common/servers + ]; + + time.timeZone = "Europe/Berlin"; + + networking.hostName = "mail-01"; + networking.interfaces.enp1s0 = { + ipv4.addresses = [ + { + address = floatingIPv4; + prefixLength = 32; + } + ]; + }; + networking.defaultGateway = { + address = "172.31.1.1"; + interface = "enp1s0"; + }; + networking.nameservers = [ "8.8.8.8" ]; + + sops.secrets.mail-password-lander = { + owner = "root"; + group = "root"; + sopsFile = ./secrets.yaml; + }; + + mailserver = { + enable = true; + fqdn = "mail.escapeangle.com"; + domains = [ "escapeangle.com" ]; + + loginAccounts = { + "lander@escapeangle.com" = { + hashedPasswordFile = config.sops.secrets.mail-password-lander.path; + + aliases = [ + "postmaster@escapeangle.com" + ]; + + catchAll = [ + "escapeangle.com" + ]; + }; + }; + + extraVirtualAliases = { + "abuse@escapeangle.com" = "lander@escapeangle.com"; + }; + + certificateScheme = "acme-nginx"; + + enableImap = true; + enableImapSsl = true; + + enableManageSieve = true; + + virusScanning = true; + }; + + services.postfix.config = { + "smtp_bind_address" = floatingIPv4; + }; + + security.acme.defaults.email = "landervandenbulcke@gmail.com"; + security.acme.acceptTerms = true; + + system.stateVersion = "24.11"; +} diff --git a/hosts/cloud-1/disk-config.nix b/hosts/mail-01/disk-config.nix similarity index 100% rename from hosts/cloud-1/disk-config.nix rename to hosts/mail-01/disk-config.nix diff --git a/hosts/mail-01/secrets.yaml b/hosts/mail-01/secrets.yaml new file mode 100644 index 0000000..3788d21 --- /dev/null +++ b/hosts/mail-01/secrets.yaml @@ -0,0 +1,32 @@ +mail-password-lander: ENC[AES256_GCM,data:6A0pw04sdzAAE2dakrGt68OkYzMFzeY1fKBAAIcO6PF1Sbna+6JbdIjikuN7ucdEGC+cPBpHNaWM8ZuZ,iv:LC4WSSAWW4uEFGHiDiZG5Q1mQgQnp28WngFyE4sECI8=,tag:gcDe1+PX9Zbe7Uu6RXJ8Ng==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUXBtSzJiYXhZMStON3dj + MTlXdE5BaVRWalAzUDBxRWpDT3dWTmRLNFVnCnN0cGc3Qkt5YXRTTHJCaGVIQjgw + NVozQzZDTE5TNUpsa3cyVU9mNEdWOUEKLS0tIG1FWkkrQ0s1TlV1VkIxR2RjRXFw + bG9hd3RXaERsYU5RaCtiOVYrcFlvam8Ky3iq96BO4uMiYLpZ903UCJYfByQIMtI5 + YNDVMgIqVI9vVDq1BnPqyOssHJ7FO69i+BUSSrjqZKsyAjknqPmvoA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-17T23:47:07Z" + mac: ENC[AES256_GCM,data:aY/fxm82ypgW5Js6d2m4+xWX/mb1quNt8VSIATsvXOlQTrFHWBJr0ZoI1ZvgkAYDNrgqBm9iCBq9KzM+Uvin+LnuH1EPkjMtoIdTPK8z2pHcHlcHJec9sTG7WHHqCzvVQIXFC7ht4nYvzDJbS5nJBgEVaTGDx7jFyq7oJglvyP0=,iv:ysG15QRfWkqUMPf7IYnQoGvI9H0yuZEM2OiwXneGKNM=,tag:oIfsso9FVLCTzd8X+6sUQA==,type:str] + pgp: + - created_at: "2025-01-17T23:46:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DARdpY4woM6wSAQdAKAJEIw16NdGquumUwVQeZeHWaQixvg6z/BiWYhkdmRAw + U7r4y86ZTf/Am1D+N+mMSZTWB0ncKjgfS8nzvHyFKHUkBMmJhIwtVNxlIoWe4+xc + 0l4BC+s5Mk8rhkofbq+fw6k5dwVF5HxqE7o9JK9ntbOkyHGsblQd9PsIyvr6pXt+ + Edllt9Ol/oJC+T+Sv3O2Y21y9ZzNJoleGv7UaFvgQ1+9nksYTbYRHLGh7w0B+xSH + =YYVU + -----END PGP MESSAGE----- + fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/hosts/wodan/default.nix b/hosts/wodan/default.nix index 64086d7..5054524 100644 --- a/hosts/wodan/default.nix +++ b/hosts/wodan/default.nix @@ -26,6 +26,8 @@ initrd.luks.devices."luks-ed2282ac-fd73-4d82-9224-b7596b5b7cac".device = "/dev/disk/by-uuid/ed2282ac-fd73-4d82-9224-b7596b5b7cac"; + + binfmt.emulatedSystems = [ "aarch64-linux" ]; }; services.xserver.enable = true;