fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Setup mail server and restructure some things

Browse source
This commit is contained in:
fi 2024-11-20 05:46:40 +01:00
parent 502e5194dc
commit ba43f2ed5c
90 changed files with 512 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

61
config/hosts/mail-1/configuration.nix Normal file
View file

@ -0,0 +1,61 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "mail-1";
useDHCP = true;
defaultGateway = {
address = "172.16.50.1";
interface = "wg0";
};
interfaces.enp6s18.ipv4 = {
routes = [
{
address = "10.201.0.0";
prefixLength = 16;
via = "10.202.41.1";
}
{
address = "10.202.0.0";
prefixLength = 16;
via = "10.202.41.1";
}
{
address = "172.21.87.0"; # management VPN
prefixLength = 24;
via = "10.202.41.1";
}
{
address = "217.160.117.160"; #
prefixLength = 32;
via = "10.202.41.1";
}
];
};
wireguard = {
enable = true;
interfaces.wg0 = {
ips = [
"172.16.50.2/24"
];
peers = [
{
name = "lifeline";
publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY=";
presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret";
endpoint = "lifeline.io.grzb.de:51820";
allowedIPs = [ "0.0.0.0/0" ];
persistentKeepalive = 25;
}
];
privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret";
};
};
};
system.stateVersion = "23.05";
}

7
config/hosts/mail-1/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./configuration.nix
./simple-nixos-mailserver.nix
];
}

85
config/hosts/mail-1/secrets.nix Normal file
View file

@ -0,0 +1,85 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"wireguard-valkyrie-mail-1-mail-1-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-mail-1-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-fiona-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-yuri-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-mio-vs-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-fubuki-wg-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-cloud-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-status-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-matrix-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-social-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

66
config/hosts/mail-1/simple-nixos-mailserver.nix Normal file
View file

@ -0,0 +1,66 @@
{ simple-nixos-mailserver, ... }:
{
imports = [
simple-nixos-mailserver.nixosModule {
mailserver = {
enable = true;
openFirewall = true;
fqdn = "mail-1.grzb.de";
enableImap = false;
enableImapSsl = true;
enableSubmission = false;
enableSubmissionSsl = true;
lmtpSaveToDetailMailbox = "no";
domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ];
loginAccounts = {
"fiona@grzb.de" = {
hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret";
aliases = [ "@grzb.de" ];
catchAll = [ "grzb.de" ];
};
"yuri@nekover.se" = {
hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret";
aliases = [ "@nekover.se" ];
catchAll = [ "nekover.se" ];
};
"mio@vs.grzb.de" = {
hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret";
sendOnly = true;
aliases = [ "root@vs.grzb.de" ];
};
"fubuki@wg.grzb.de" = {
hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret";
sendOnly = true;
aliases = [ "root@wg.grzb.de" ];
};
"cloud@nekover.se" = {
hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret";
sendOnly = true;
};
"status@nekover.se" = {
hashedPasswordFile = "/secrets/mail-status-nekover-se.secret";
sendOnly = true;
};
"matrix@nekover.se" = {
hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"social@nekover.se" = {
hashedPasswordFile = "/secrets/mail-social-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
};
certificateScheme = "acme-nginx";
};
}
];
services.postfix = {
transport = "relay:[mail-2.grzb.de]";
extraConfig = ''
proxy_interfaces = 212.53.203.19
'';
};
}