Squash merge feat/mail-server into main

2025-07-14 16:18:20 +08:00 · 2025-07-14 16:18:20 +08:00 · 06bcfe62ff
commit 06bcfe62ff
parent 14f4243aee
21 changed files with 973 additions and 67 deletions
--- a/system/dev/dn-pre7780/boot.nix
+++ b/system/dev/dn-pre7780/boot.nix
@ -37,18 +37,6 @@
    ];
  };

-  # fileSystems."/mnt/nextcloud" = {
-  #   enable = true;
-  #   depends = [ "/mnt/windows" ];
-  #   device = "/mnt/windows/Linux/nextcloud";
-  #
-  #   fsType = "none";
-  #   options = [
-  #     "nofail"
-  #     "bind"
-  #   ];
-  # };
-
  boot.supportedFilesystems = [ "ntfs" ];
  boot.loader.systemd-boot.enable = true;

--- a/system/dev/dn-pre7780/default.nix
+++ b/system/dev/dn-pre7780/default.nix
@ -1,6 +1,7 @@
 {
  pkgs,
  settings,
+  config,
  ...
 }:
 {
@ -14,6 +15,7 @@
    ./boot.nix
    ./sops-conf.nix
    # ./nginx.nix
+    ../../modules/certbot.nix
    ../../modules/presets/basic.nix
    ../../modules/gaming.nix
    ../../modules/secure-boot.nix
@ -26,8 +28,28 @@
    #   datadir = "/mnt/nextcloud";
    #   https = false;
    # })
+    ../../modules/mail-server
  ];

+  mail-server = {
+    enable = true;
+    mailDir = "~/Maildir";
+    virtualMailDir = "/var/mail/vhosts";
+    domain = "vmail.net.dn";
+    networks = [
+      "127.0.0.0/8"
+      "10.0.0.0/24"
+    ];
+    openFirewall = true;
+    sslKey = "/etc/letsencrypt/live/vmail.net.dn/privkey.pem";
+    sslCert = "/etc/letsencrypt/live/vmail.net.dn/fullchain.pem";
+    dovecot.ldapFile = config.sops.secrets."dovecot/openldap".path;
+    openldap = {
+      passwordFile = config.sops.secrets."openldap/adminPassword".path;
+      enableWebUI = true;
+    };
+  };
+
  home-manager = {
    users."${settings.personal.username}" = {
      imports = [
@ -46,10 +68,13 @@
  ];

  users.users = {
-    "${settings.personal.username}".openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMj/LeB3i/vca3YwGNpAjf922FgiY2svro48fUSQAjOv Shortcuts on :D"
-    ];
+    "${settings.personal.username}" = {
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJFQA42R3fZmjb9QnUgzzOTIXQBC+D2ravE/ZLvdjoOQ danny@lap.dn"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSHkPa6vmr5WBPXAazY16+Ph1Mqv9E24uLIf32oC2oH danny@phone.dn"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMj/LeB3i/vca3YwGNpAjf922FgiY2svro48fUSQAjOv Shortcuts on :D"
+      ];
+    };
  };
+
 }
--- a/system/dev/dn-pre7780/secret.yaml
+++ b/system/dev/dn-pre7780/secret.yaml
@ -1,12 +1,14 @@
 wireguard:
    conf: ENC[AES256_GCM,data:ozLdARKsxx5WNxyDgNttKW+FC9/4xEZ0UYmayf04IYNwzzps5Njdtwz1M8/sJoFKoqR7FlQ8eEz1RLCHl9nFwwLkcd14Qm3Du/8Rujw2ZiGJWxO1H71tnJwZBNg0Hr0ex5j4aCs7A38yWA+Grj4FOPvfyMt/zTzUZfu2PYWfPuwMmxR6EU8AMTSDaHUhf26ZwpWg5TG3QjiEJHKnJPzjUo8Imff7XnMENmVMbRSgxCe7CDyrKIAkxQ568sqJpNIovtEXRdEtdLnzI3wUW8WEEnRrfpPwACBsxJxyXLvkr2KIboA4caKiqcFNnx0dzVbDbbWOcgipN3b/ztzNU+mp,iv:p+ITGhlXfDsbx4V+1+P0wKy4OCMXxQZb4loflzFUcrw=,tag:bJuOcphL/K9pBHs/CLQ8rA==,type:str]
+dovecot:
+    openldap: ENC[AES256_GCM,data:U3YYreEqoh+F0Mrli52jgQowrUqIUPmdQps=,iv:vTjHBFsue+89GOCDigVIktgGSZNZv8A2e3GM80o6TXc=,tag:GGh+hsT+yV/I12meXxflbQ==,type:str]
 nextcloud:
    adminPassword: ENC[AES256_GCM,data:7rC29qpvDGDZOuW+ONot,iv:+A7yoeys74IRsAR5unH4eHcgjbzF/UKZWY9Q0AVLN7U=,tag:v/KWQH+p0Yh9CIt7sHHDGA==,type:str]
+openldap:
+    adminPassword: ENC[AES256_GCM,data:jEGuzgs5QTWfdyJenC3t3g==,iv:StfFOcvbDapnma6eAlpaGiBWnqiD3I/wfQsMBzufol0=,tag:892q7N4KrsSQoZYGy6CQrA==,type:str]
+lam:
+    env: ENC[AES256_GCM,data:f1LlC/VvilH8o2Ra7MrSHsMEGlGw3LOV2O9JJf9f,iv:u7cXM8n3jJeLBfxXtA0QMyijBqTcC+yJeW/OO9JuZMI=,tag:QL5FkcCPI5Gxudi0NmCZWg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
          enc: |
@ -17,8 +19,7 @@ sops:
            MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w
            lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-28T04:43:00Z"
-    mac: ENC[AES256_GCM,data:EQgrbquDQa0+U8jUKA5XxVqueiwibuRXHoXUcvgGOvhvXkOR2WdKvyia+UhWze2DBfYXWgAEG2Ljt1xUWSo0OhCjLbHTHmu9DCywbpeiRpAAFH0xj0wdvSVG3amsEIN6a3RyLpCq8P/n8F2HeB9dLNZvddmTgBsfGxyS0okUGuk=,iv:zntdTMwkOs+c3fIevzqCalSZjB7lAHvGB2PhEnLB3Hc=,tag:ngtyM1wMESWfGEFdxCcwDg==,type:str]
-    pgp: []
+    lastmodified: "2025-06-15T08:18:50Z"
+    mac: ENC[AES256_GCM,data:sq+/fpOeNO5wn9S1kFqzRy6xCOVkSBcAkral7MTn4UxRebBDa78KF76Nsba0+o5bzwCchoGl/TC6vySIzGq8FUYwd1tQ9nH5DlqYBVVRgRlKLRyhxXf14BTyYgzHzFuRWdFyY8i4j0flZtlDHk4dVQrE4OhHvhLQ2Zvet5HQ20I=,iv:qoPZ+8tAHJxcR53M2PNwukYgdguSRrAVB+FtKYbf+aM=,tag:FYaPzh6o0ZI27Ul5jEhgVg==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2
--- a/system/dev/dn-pre7780/sops-conf.nix
+++ b/system/dev/dn-pre7780/sops-conf.nix
@ -1,8 +1,20 @@
+{ config, lib, ... }:
 {
  sops = {
    secrets = {
      "wireguard/conf" = { };
      "nextcloud/adminPassword" = { };
+      "openldap/adminPassword" = lib.mkIf config.services.openldap.enable {
+        owner = config.users.users.openldap.name;
+        group = config.users.users.openldap.group;
+        mode = "0660";
+      };
+      "lam/env" = { };
+      "dovecot/openldap" = lib.mkIf (config.services.postfix.enable && config.services.openldap.enable) {
+        owner = config.services.dovecot2.user;
+        group = config.services.dovecot2.group;
+        mode = "0660";
+      };
    };
  };
 }