Setup mail server and restructure some things

This commit is contained in:
fi 2023-09-14 14:43:49 +02:00
parent 4c382e629d
commit ba93d164cf
Signed by: fi
SSH key fingerprint: SHA256:d+6fQoDPMbSFK95zRVflRKZLRKF4cPSQb7VIxYkhFsA
90 changed files with 512 additions and 66 deletions

View file

@ -3,8 +3,8 @@
imports = [
./prometheus-node-exporter.nix
./nginx.nix
../../users/colmena-deploy
../../users/yuri
../users/colmena-deploy
../users/yuri
];
time.timeZone = "Europe/Berlin";

View file

@ -1,7 +1,7 @@
{ ... }:
{ lib, ... }:
{
services.prometheus.exporters.node = {
enable = true;
enable = lib.mkDefault true;
openFirewall = true;
};
}

View file

@ -0,0 +1,69 @@
{ pkgs, ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
networking = {
hostName = "lifeline";
useDHCP = true;
wireguard = {
enable = true;
interfaces.wg0 = {
privateKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-privatekey.secret";
listenPort = 51820;
ips = [
"172.16.50.1/24"
];
peers = [
{
name = "mail-1";
publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs=";
presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-psk.secret";
allowedIPs = [ "172.16.50.2/32" ];
}
];
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
'';
};
};
nat = {
enable = true;
internalInterfaces = [ "wg0" ];
externalInterface = "ens6";
forwardPorts = [
{
destination = "172.16.50.2:25";
proto = "tcp";
sourcePort = 25;
}
{
destination = "172.16.50.2:465";
proto = "tcp";
sourcePort = 465;
}
{
destination = "172.16.50.2:993";
proto = "tcp";
sourcePort = 993;
}
];
};
firewall = {
allowedUDPPorts = [ 51820 ];
};
};
services.prometheus.exporters.node.enable = false;
system.stateVersion = "23.05";
}

View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./configuration.nix
./hardware-configuration.nix
];
}

View file

@ -0,0 +1,16 @@
{ modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd = {
availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
kernelModules = [ "nvme" ];
};
fileSystems."/" = {
device = "/dev/vda1";
fsType = "ext4";
};
}

View file

@ -0,0 +1,19 @@
{ ... }:
{
deployment.keys."wireguard-lifeline-mail-1-lifeline-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."wireguard-lifeline-mail-1-lifeline-privatekey.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/lifeline-privatekey" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
}

View file

@ -0,0 +1,61 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "mail-1";
useDHCP = true;
defaultGateway = {
address = "172.16.50.1";
interface = "wg0";
};
interfaces.enp6s18.ipv4 = {
routes = [
{
address = "10.201.0.0";
prefixLength = 16;
via = "10.202.41.1";
}
{
address = "10.202.0.0";
prefixLength = 16;
via = "10.202.41.1";
}
{
address = "172.21.87.0"; # management VPN
prefixLength = 24;
via = "10.202.41.1";
}
{
address = "217.160.117.160"; #
prefixLength = 32;
via = "10.202.41.1";
}
];
};
wireguard = {
enable = true;
interfaces.wg0 = {
ips = [
"172.16.50.2/24"
];
peers = [
{
name = "lifeline";
publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY=";
presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret";
endpoint = "lifeline.io.grzb.de:51820";
allowedIPs = [ "0.0.0.0/0" ];
persistentKeepalive = 25;
}
];
privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret";
};
};
};
system.stateVersion = "23.05";
}

View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./configuration.nix
./simple-nixos-mailserver.nix
];
}

View file

@ -0,0 +1,85 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"wireguard-valkyrie-mail-1-mail-1-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-mail-1-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-1-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "systemd-network";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-fiona-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/fiona-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-yuri-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/yuri-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-mio-vs-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/mio-vs-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-fubuki-wg-grzb-de.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/fubuki-wg-grzb-de" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-cloud-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/cloud-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-status-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/status-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-matrix-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/matrix-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"mail-social-nekover-se.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

View file

@ -0,0 +1,66 @@
{ simple-nixos-mailserver, ... }:
{
imports = [
simple-nixos-mailserver.nixosModule {
mailserver = {
enable = true;
openFirewall = true;
fqdn = "mail-1.grzb.de";
enableImap = false;
enableImapSsl = true;
enableSubmission = false;
enableSubmissionSsl = true;
lmtpSaveToDetailMailbox = "no";
domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ];
loginAccounts = {
"fiona@grzb.de" = {
hashedPasswordFile = "/secrets/mail-fiona-grzb-de.secret";
aliases = [ "@grzb.de" ];
catchAll = [ "grzb.de" ];
};
"yuri@nekover.se" = {
hashedPasswordFile = "/secrets/mail-yuri-nekover-se.secret";
aliases = [ "@nekover.se" ];
catchAll = [ "nekover.se" ];
};
"mio@vs.grzb.de" = {
hashedPasswordFile = "/secrets/mail-mio-vs-grzb-de.secret";
sendOnly = true;
aliases = [ "root@vs.grzb.de" ];
};
"fubuki@wg.grzb.de" = {
hashedPasswordFile = "/secrets/mail-fubuki-wg-grzb-de.secret";
sendOnly = true;
aliases = [ "root@wg.grzb.de" ];
};
"cloud@nekover.se" = {
hashedPasswordFile = "/secrets/mail-cloud-nekover-se.secret";
sendOnly = true;
};
"status@nekover.se" = {
hashedPasswordFile = "/secrets/mail-status-nekover-se.secret";
sendOnly = true;
};
"matrix@nekover.se" = {
hashedPasswordFile = "/secrets/mail-matrix-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
"social@nekover.se" = {
hashedPasswordFile = "/secrets/mail-social-nekover-se.secret";
sendOnly = true;
aliases = [ "nyareply@nekover.se" ];
};
};
certificateScheme = "acme-nginx";
};
}
];
services.postfix = {
transport = "relay:[mail-2.grzb.de]";
extraConfig = ''
proxy_interfaces = 212.53.203.19
'';
};
}

View file

@ -9,6 +9,15 @@
proxyPass = "http://jellyfin.vs.grzb.de:80";
};
};
services.nginx.virtualHosts."mail-1.grzb.de" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."^~ /.well-known/acme-challenge/" = {
proxyPass = "http://mail-1.vs.grzb.de:80";
};
};
services.nginx.virtualHosts."matrix.nekover.se" = {
listen = [{
addr = "0.0.0.0";

View file

@ -8,7 +8,6 @@
./git.grzb.de.nix
./mewtube.nekover.se.nix
./nekover.se.nix
./nextcloud.grzb.de.nix
./social.nekover.se.nix
];

View file

@ -1,12 +1,44 @@
{
"nodes": {
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1689469483,
"narHash": "sha256-2SBhY7rZQ/iNCxe04Eqxlz9YK9KgbaTMBssq3/BgdWY=",
"lastModified": 1693701915,
"narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "02fea408f27186f139153e1ae88f8ab2abd9c22c",
"rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
"type": "github"
},
"original": {
@ -23,11 +55,11 @@
]
},
"locked": {
"lastModified": 1690133435,
"narHash": "sha256-YNZiefETggroaTLsLJG2M+wpF0pJPwiauKG4q48ddNU=",
"lastModified": 1693791338,
"narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "b1171de4d362c022130c92d7c8adc4bf2b83d586",
"rev": "8ee78470029e641cddbd8721496da1316b47d3b4",
"type": "github"
},
"original": {
@ -38,11 +70,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1693725722,
"narHash": "sha256-PJFNgOpNqrsafMgNuca8olo6ugxIFeQOBBiNtyq2FXA=",
"lastModified": 1694493899,
"narHash": "sha256-46zEnn7H/G2ne735wEEKKW+LoyPa6NOWj2P9InxDfJs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "00cc1bbf20f8eb85b537f9f10b41a311f0e01e3e",
"rev": "c5167858ca4870e933da123762eb55363ccefe2b",
"type": "github"
},
"original": {
@ -52,13 +84,43 @@
"type": "github"
}
},
"nixpkgs-unstable": {
"nixpkgs-22_11": {
"locked": {
"lastModified": 1693723626,
"narHash": "sha256-e6DnUnRT5aykzhme6wLUzYmSPw2G8j+RYwXluys2VJc=",
"lastModified": 1669558522,
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5e9ff98d1dccbb391a9769b5dc660a5f6e39c18b",
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1684782344,
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1694502577,
"narHash": "sha256-MMW8BMlRU38Zewova/BOYy3ER+GM2nPln+UYeHI9EsI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "55ec5ae7d6c3f7866a0696a6ccfb66a1665b3d72",
"type": "github"
},
"original": {
@ -68,11 +130,66 @@
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1670751203,
"narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"root": {
"inputs": {
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable"
"nixpkgs-unstable": "nixpkgs-unstable",
"simple-nixos-mailserver": "simple-nixos-mailserver"
}
},
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_2",
"nixpkgs-22_11": "nixpkgs-22_11",
"nixpkgs-23_05": "nixpkgs-23_05",
"utils": "utils"
},
"locked": {
"lastModified": 1687462267,
"narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "24128c3052090311688b09a400aa408ba61c6ee5",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-23.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"utils": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},

View file

@ -6,9 +6,10 @@
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
};
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, ... }@inputs: let
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, simple-nixos-mailserver, ... }@inputs: let
hosts = import ./hosts.nix inputs;
helper = import ./helper.nix inputs;
in {
@ -25,13 +26,13 @@
nodeNixpkgs = builtins.mapAttrs (name: host: host.pkgs) hosts;
specialArgs = {
inherit hosts;
inherit hosts simple-nixos-mailserver;
};
};
} // builtins.mapAttrs (helper.generateColmenaHost) hosts;
hydraJobs = {
nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts; }) hosts;
nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { inherit hosts simple-nixos-mailserver; }) hosts;
};
# Generate a base VM image for Proxmox with `nix build .#base-proxmox`
@ -39,9 +40,9 @@
base-proxmox = nixos-generators.nixosGenerate {
system = "x86_64-linux";
modules = [
./configuration/common
./configuration/nixos-generators
./configuration/proxmox-vm
./config/common
./config/nixos-generators
./config/environments/proxmox-vm
];
format = "proxmox";
};

View file

@ -11,7 +11,7 @@
};
# Set imports and optionally import colmena secrets configuration
imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./hosts/${name}/secrets.nix) ./hosts/${name}/secrets.nix;
imports = modules ++ nixpkgs.lib.optional (builtins.pathExists ./config/hosts/${name}/secrets.nix) ./config/hosts/${name}/secrets.nix;
};
generateNixConfiguration = name: specialArgs: {

View file

@ -3,66 +3,90 @@ let
# Set of environment specific modules
environments = {
"proxmox" = [
./configuration/proxmox-vm
];
./config/environments/proxmox-vm
];
};
generateDefaults = hosts: builtins.mapAttrs (name: {
hostNixpkgs ? nixpkgs,
system ? "x86_64-linux",
# pkgs is explicitly defined so that overlays for each host can easily be created
pkgs ? hostNixpkgs.legacyPackages.${system},
environment ? "proxmox",
environment ? "",
site
}: {
inherit hostNixpkgs system pkgs environment site;
# define common and host modules and additionally add environment specific modules
modules = [
./configuration/common
./hosts/${name}
] ++ environments.${environment};
./config/common
./config/hosts/${name}
] ++ (if environment != "" then environments.${environment} else []);
}) hosts;
in
generateDefaults {
#fee = {
# site = "wg";
# environment = "bare-metal";
#};
hydra = {
site = "vs";
environment = "proxmox";
};
iperf = {
site = "vs";
environment = "proxmox";
};
jackett = {
site = "vs";
environment = "proxmox";
};
jellyfin = {
hostNixpkgs = nixpkgs-unstable;
site = "vs";
environment = "proxmox";
};
lifeline = {
site = "io";
};
mail-1 = {
site = "vs";
environment = "proxmox";
};
matrix = {
site = "vs";
environment = "proxmox";
};
metrics = {
site = "vs";
environment = "proxmox";
};
netbox = {
site = "vs";
environment = "proxmox";
};
nextcloud = {
site = "vs";
environment = "proxmox";
};
nitter = {
site = "vs";
environment = "proxmox";
};
coturn = {
site = "vs";
environment = "proxmox";
};
tor-relay = {
site = "vs";
environment = "proxmox";
};
web-public-2 = {
hostNixpkgs = nixpkgs-unstable;
site = "vs";
environment = "proxmox";
};
web-nonpublic-linuxcrewd = {
hostNixpkgs = nixpkgs-unstable;
site = "vs";
environment = "proxmox";
};
}

View file

@ -1,34 +0,0 @@
{ ... }:
{
services.nginx.virtualHosts."nextcloud.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "localhost";
port = 1234;
} # workaround for enableACME check
{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
proxyPass = "http://nextcloud-grzb.vs.grzb.de:80";
};
locations."= /.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav";
};
locations."= /.well-known/caldav" = {
return = "301 $scheme://$host/remote.php/dav";
extraConfig = ''
proxy_read_timeout 3600;
proxy_request_buffering off;
'';
};
extraConfig = ''
client_max_body_size 4096m;
'';
};
}