feat: mail server

2025-05-05 13:37:38 +08:00 · 2025-05-05 13:37:38 +08:00 · 1e77f204d0
commit 1e77f204d0
parent 396a4d603d
13 changed files with 320 additions and 57 deletions
--- a/system/modules/certbot.nix
+++ b/system/modules/certbot.nix
@ -25,13 +25,14 @@
      ExecStart = ''${pkgs.certbot}/bin/certbot renew'';
      ExecStartPost = "${pkgs.busybox}/bin/chown nginx:nginx -R /etc/letsencrypt";
    };
-    unitConfig = {
-      OnSuccess = "nginx-reload-after-certbot.service";
-    };
  };

  systemd.services."nginx-reload-after-certbot" = {
+    after = [ "certbot-renew.service" ];
+    requires = [ "certbot-renew.service" ];
+    wantedBy = [ "certbot-renew.service" ];
    serviceConfig = {
+      Type = "oneshot";
      User = "nginx";
      # This config file path refers to "services.nginx.enableReload"
      ExecStart = ''${pkgs.nginx}/bin/nginx -s reload -c /etc/nginx/nginx.conf'';
--- a/system/modules/openldap.nix
+++ b/system/modules/openldap.nix
@ -0,0 +1,129 @@
+{
+  urlList ? [ "ldap:///" ],
+}:
+{
+  pkgs,
+  config,
+  ...
+}:
+let
+  create_ldap_user = pkgs.writeShellScriptBin "create_ldap_user" ''
+    # Base DN for LDAP directory
+    BASE_DN="dc=net,dc=dn"
+    # Organizational Unit (OU) where users are stored
+    OU="people"
+
+    # Prompt for username
+    read -p "Please enter the username: " USERNAME
+
+    # Prompt for password (hidden input)
+    read -s -p "Please enter the password: " USER_PASSWORD
+    echo
+    # Prompt for password confirmation (hidden input)
+    read -s -p "Please confirm the password: " USER_PASSWORD_CONFIRM
+    echo
+
+    # Check if the entered passwords match
+    if [ "$USER_PASSWORD" != "$USER_PASSWORD_CONFIRM" ]; then
+      echo "❌ Passwords do not match. Please run the script again."
+      exit 1
+    fi
+
+    # Hash the password using slappasswd
+    PASSWORD_HASH=$(slappasswd -s "$USER_PASSWORD")
+
+    # Construct the Distinguished Name (DN) for the user
+    USER_DN="uid=$USERNAME,ou=$OU,$BASE_DN"
+
+    # Check if the base DN (dc=net,dc=dn) exists, if not, create it
+    ldapsearch -x -b "$BASE_DN" > /dev/null 2>&1
+    if [ $? -ne 0 ]; then
+      echo "⚠️ $BASE_DN does not exist. Creating it now..."
+      cat <<EOF | ldapadd -x -D "cn=admin,$BASE_DN" -W
+    dn: $BASE_DN
+    objectClass: top
+    objectClass: domain
+    dc: net
+    EOF
+    fi
+
+    # Check if the OU exists, if not, create it
+    ldapsearch -x -b "ou=$OU,$BASE_DN" > /dev/null 2>&1
+    if [ $? -ne 0 ]; then
+      echo "⚠️ OU=$OU does not exist. Creating it now..."
+      cat <<EOF | ldapadd -x -D "cn=admin,$BASE_DN" -W
+    dn: ou=$OU,$BASE_DN
+    objectClass: organizationalUnit
+    ou: $OU
+    EOF
+    fi
+
+    # Add the user entry to the LDAP directory
+    cat <<EOF | ldapadd -x -D "cn=admin,$BASE_DN" -W
+    dn: $USER_DN
+    objectClass: inetOrgPerson
+    objectClass: organizationalPerson
+    objectClass: person
+    objectClass: top
+    uid: $USERNAME
+    cn: $USERNAME
+    sn: $USERNAME
+    userPassword: $PASSWORD_HASH
+    EOF
+
+    # Confirm the user was successfully created
+    echo "✅ User $USERNAME has been successfully created."  '';
+in
+{
+  environment.systemPackages = [
+    create_ldap_user
+  ];
+
+  services.openldap = {
+    enable = true;
+    urlList = urlList;
+
+    settings = {
+      attrs = {
+        olcLogLevel = "conns config";
+      };
+
+      children = {
+        "cn=schema".includes = [
+          "${pkgs.openldap}/etc/schema/core.ldif"
+          "${pkgs.openldap}/etc/schema/cosine.ldif"
+          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+        ];
+
+        "olcDatabase={1}mdb".attrs = {
+          objectClass = [
+            "olcDatabaseConfig"
+            "olcMdbConfig"
+          ];
+
+          olcDatabase = "{1}mdb";
+          olcDbDirectory = "/var/lib/openldap/data";
+
+          olcSuffix = "dc=net,dc=dn";
+
+          olcRootDN = "cn=admin,dc=net,dc=dn";
+          olcRootPW.path = config.sops.secrets."openldap/adminPassword".path;
+
+          olcAccess = [
+            # custom access rules for userPassword attributes
+            ''
+              {0}to attrs=userPassword
+                by self write
+                by anonymous auth
+                by * none''
+
+            # allow read on anything else
+            ''
+              {1}to *
+                by * read''
+          ];
+        };
+      };
+    };
+  };
+}
--- a/system/modules/tmux.nix
+++ b/system/modules/tmux.nix
@ -36,7 +36,10 @@ in
      ];

      extraConfig = ''
-        set -gq allow-passthrough on
+        set -g allow-passthrough on
+        set -s set-clipboard on
+        set-option -s set-clipboard on
+
        set -g status "on"
        set -g status-style fg=default,bg=default
        set -g status-position top
@ -48,7 +51,6 @@ in
        setw -g window-status-format "#[fg=#171616,bg=default]  #[fg=#495361,bg=default]#(${getIconScript}/get-icon #I) #W"
        setw -g window-status-current-format "#[fg=#7e93a9,bg=default]  #[fg=#7e93a9,bg=default,bold]#(${getIconScript}/get-icon #I) #W"

-
        set -g default-terminal "xterm-256color"
        set -ga terminal-overrides ",*256col*:Tc"
        set -ga terminal-overrides '*:Ss=\E[%p1%d q:Se=\E[ q'
--- a/system/modules/vaultwarden.nix
+++ b/system/modules/vaultwarden.nix
@ -0,0 +1,32 @@
+{ domain }:
+{ config, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    ensureUsers = [
+      {
+        name = "vaultwarden";
+        ensureDBOwnership = true;
+      }
+    ];
+    ensureDatabases = [
+      "vaultwarden"
+    ];
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    environmentFile = config.sops.secrets.vaultwarden.path;
+    config = {
+      DOMAIN = domain;
+      SIGNUPS_ALLOWED = true;
+      SIGNUPS_VERIFY = true;
+      ROCKET_PORT = 8222;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_LOG = "critical";
+
+      DATABASE_URL = "postgresql:///vaultwarden";
+    };
+  };
+}