diff options
| -rw-r--r-- | flake.lock | 108 | ||||
| -rw-r--r-- | flake.nix | 31 | ||||
| -rw-r--r-- | machines/mail/default.nix | 58 | ||||
| -rw-r--r-- | modules/default.nix | 2 | ||||
| -rw-r--r-- | modules/hetzner/default.nix | 2 | ||||
| -rw-r--r-- | modules/mailserver/default.nix | 45 | ||||
| m--------- | secrets | 0 |
7 files changed, 245 insertions, 1 deletions
@@ -44,6 +44,22 @@ "type": "github" } }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "catinator": { "inputs": { "nci": "nci", @@ -178,6 +194,22 @@ "type": "github" } }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -253,6 +285,54 @@ "type": "github" } }, + "git-hooks": { + "inputs": { + "flake-compat": [ + "nixos-mailserver", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "nixos-mailserver", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1742649964, + "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "nixos-mailserver", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "mk-naked-shell": { "flake": false, "locked": { @@ -384,6 +464,33 @@ "type": "github" } }, + "nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat_3", + "git-hooks": "git-hooks", + "nixpkgs": [ + "nixpkgs-unstable" + ], + "nixpkgs-25_05": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747965231, + "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "53007af63fade28853408370c4c600a63dd97f41", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-25.05", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, "nixpkgs": { "locked": { "lastModified": 1750776420, @@ -790,6 +897,7 @@ "catinator": "catinator", "flake-parts": "flake-parts_2", "nixinate": "nixinate", + "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs_4", "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", @@ -15,6 +15,12 @@ pastor.url = "gitlab:cocainefarm/pastor/feature/nix"; authentik-nix.url = "github:nix-community/authentik-nix"; + + nixos-mailserver = { + url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + inputs.nixpkgs-25_05.follows = "nixpkgs"; + }; }; outputs = @@ -26,6 +32,7 @@ flake-parts, nixinate, authentik-nix, + nixos-mailserver, ... }: flake-parts.lib.mkFlake { inherit inputs; } { @@ -114,6 +121,27 @@ tlmp monitoring-node ]; + mail = nixpkgs.lib.nixosSystem { + inherit specialArgs; + system = "aarch64-linux"; + + modules = (with self.nixosModules; [ + nixinate.nixosModules.default + overlays + + common + users + wireguard + crypto + + (import ./machines/mail) + hetzner + acme + + nixos-mailserver.nixosModules.default + mailserver + ]); + }; fra01 = mkSystem [ (import ./machines/fra01) vultr @@ -143,6 +171,9 @@ ]; }; }; + perSystem = { config, pkgs, ... }: { + formatter = pkgs.nixfmt-rfc-style; + }; systems = [ "x86_64-linux" "x86_64-darwin" diff --git a/machines/mail/default.nix b/machines/mail/default.nix new file mode 100644 index 0000000..eca85a2 --- /dev/null +++ b/machines/mail/default.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +let endpoint = "2a01:4f8:1c1c:3ce7::1"; +in +{ + networking = { + domain = ".vapor.systems"; + hostName = "mail"; + dhcpcd.enable = false; + interfaces.eth0 = { + ipv4 = { + addresses = [ + { address="116.203.26.228"; prefixLength=32; } + ]; + + routes = [ + { address = "172.31.1.1"; prefixLength = 32; } + ]; + }; + ipv6 = { + addresses = [ + { address="2a01:4f8:1c1c:3ce7::1"; prefixLength=64; } + { address="fe80::9000:6ff:fe53:14ce"; prefixLength=64; } + ]; + + routes = [ + { address = "fe80::1"; prefixLength = 128; } + ]; + }; + }; + + defaultGateway = "172.31.1.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; + }; + + pubKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPVwt+/sB77NZnjwqgwtkcqKsIYyMnYh5qlqYoY9dLEd"; + + wireguard = { + enable = true; + inherit endpoint; + v4 = { address = "10.10.0.6"; }; + v6 = { address = "6"; }; + publicKey = "lk0mN1R5Uf5iwvWe/4mOmrMap7xtsieQaJSHcXQ7+VY="; + allowedIPs = []; + }; + + deploy = { + host = endpoint; + sshUser = "audron"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; +} diff --git a/modules/default.nix b/modules/default.nix index 934aa4e..afabc28 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -35,4 +35,6 @@ monitoring = import ./monitoring; monitoring-node = import ./monitoring/node-exporter.nix; homepage = import ./homepage; + + mailserver = import ./mailserver; } diff --git a/modules/hetzner/default.nix b/modules/hetzner/default.nix index d24908d..af44deb 100644 --- a/modules/hetzner/default.nix +++ b/modules/hetzner/default.nix @@ -3,7 +3,7 @@ { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; boot.initrd.kernelModules = [ "nvme" ]; boot.loader.grub.device = "/dev/sda"; diff --git a/modules/mailserver/default.nix b/modules/mailserver/default.nix new file mode 100644 index 0000000..9188129 --- /dev/null +++ b/modules/mailserver/default.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ...}: + +{ + mailserver = { + enable = true; + + fqdn = "mail.vapor.systems"; + domains = [ "vapor.systems" ]; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + # "user1@example.com" = { + # hashedPasswordFile = "/a/file/containing/a/hashed/password"; + # aliases = ["postmaster@example.com"]; + # }; + # "user2@example.com" = { ... }; + }; + + ldap = { + enable = true; + uris = [ "ldaps://ettves:636" ]; + + bind = { + dn = "cn=mail,ou=users,dc=mail,dc=vapor,dc=systems"; + passwordFile = "/etc/secrets/ldap"; + }; + + searchBase = "dc=mail,dc=vapor,dc=systems"; + }; + + certificateScheme = "acme"; + }; + + secrets = { + minecraft = { + source = ../../secrets/authentik/mail; + dest = "/etc/secrets/ldap"; + }; + }; + + security.acme.certs = { + "mail.vapor.systems" = { }; + }; +} diff --git a/secrets b/secrets -Subproject d5924d53340d1a26c02e67fbff0b2220bdc39ab +Subproject 811147e78d70054339a6aeb623c30959c096fea |