diff --git a/home/user/waybar.nix b/home/user/waybar.nix index c24a313..9943d36 100644 --- a/home/user/waybar.nix +++ b/home/user/waybar.nix @@ -138,7 +138,7 @@ in #memory, #cpu, #pulseaudio { - font-size: ${toString (osConfig.stylix.fonts.sizes.desktop + 1)}px; + font-size: ${toString (osConfig.stylix.fonts.sizes.desktop)}px; } /* Main bar */ diff --git a/system/dev/dn-pre7780/default.nix b/system/dev/dn-pre7780/default.nix index 2dc8aea..608a49a 100644 --- a/system/dev/dn-pre7780/default.nix +++ b/system/dev/dn-pre7780/default.nix @@ -32,7 +32,12 @@ in hardware.nvidia.open = lib.mkForce true; imports = [ + ./boot.nix # Extra Boot Options + ./sops-conf.nix # Secret + ./nginx.nix + ./mail.nix ./hardware-configuration.nix + ../../modules/presets/basic.nix ../../modules/sunshine.nix @@ -43,8 +48,6 @@ in nvidia-bus-id = "PCI:1:0:0"; }) - ./boot.nix # Extra Boot Options - ./sops-conf.nix # Secret ../../modules/gaming.nix # ../../modules/secure-boot.nix ../../modules/virtualization.nix @@ -59,37 +62,17 @@ in ]; }) - (import ../../modules/stalwart.nix { - enableNginx = true; - domain = "pre7780.dn"; - adminPassFile = config.sops.secrets."stalwart/adminPassword".path; - dbPassFile = config.sops.secrets."stalwart/db".path; - acmeConf = { - directory = "https://ca.net.dn/acme/acme/directory"; - ca_bundle = "${"" + ../../extra/ca.crt}"; - challenge = "dns-01"; - origin = "pre7780.dn"; - contact = "admin@pre7780.dn"; - domains = [ - "pre7780.dn" - "mx1.pre7780.dn" - ]; - default = true; - provider = "rfc2136-tsig"; - host = "10.0.0.1"; - renew-before = "1d"; - port = 5359; - cache = "${config.services.stalwart-mail.dataDir}/acme"; - key = "stalwart"; - tsig-algorithm = "hmac-sha512"; - secret = "%{file:${config.sops.secrets."stalwart/tsig".path}}%"; - }; + (import ../../modules/nextcloud.nix { + hostname = "nextcloud.pre7780.dn"; + configureACME = false; + https = false; + adminpassFile = config.sops.secrets."nextcloud/adminPassword".path; + trusted = [ "nextcloud.daccc.info" ]; }) ../../modules/davinci-resolve.nix ../../modules/webcam.nix ../../modules/postgresql.nix - ./nginx.nix ]; # Live Sync D diff --git a/system/dev/dn-pre7780/mail.nix b/system/dev/dn-pre7780/mail.nix new file mode 100644 index 0000000..8715c15 --- /dev/null +++ b/system/dev/dn-pre7780/mail.nix @@ -0,0 +1,71 @@ +{ config, ... }: +let + domain = "daccc.info"; + fqdn = "mx1.daccc.info"; +in +{ + networking.firewall.allowedTCPPorts = [ 8080 ]; + imports = [ + (import ../../modules/stalwart.nix { + inherit domain; + + enableNginx = false; + dkimKey = config.sops.secrets."stalwart/dkimKey".path; + adminPassFile = config.sops.secrets."stalwart/adminPassword".path; + dbPassFile = config.sops.secrets."stalwart/db".path; + acmeConf = { + directory = "https://acme-v02.api.letsencrypt.org/directory"; + origin = "${domain}"; + contact = "admin@${domain}"; + domains = [ + domain + fqdn + ]; + challenge = "dns-01"; + cache = "${config.services.stalwart-mail.dataDir}/acme"; + default = true; + provider = "cloudflare"; + renew-before = "30d"; + secret = "%{file:${config.sops.secrets."cloudflare/secret".path}}%"; + }; + ldapConf = { + type = "ldap"; + url = "ldap://10.0.0.1:389"; + timeout = "30s"; + base-dn = "dc=net,dc=dn"; + attributes = { + name = "uid"; + email = "mail"; + secret = "userPassword"; + description = [ + "cn" + "description" + ]; + class = "objectClass"; + }; + filter = { + name = "(&(objectClass=inetOrgPerson)(uid=?))"; + email = "(&(objectClass=inetOrgPerson)(mail=?))"; + }; + bind = { + dn = "cn=admin,dc=net,dc=dn"; + secret = "%{file:${config.sops.secrets."stalwart/ldap".path}}%"; + auth = { + method = "lookup"; + }; + }; + }; + oidcConf = { + type = "oidc"; + timeout = "1s"; + endpoint.url = "https://keycloak.net.dn/realms/master/protocol/openid-connect/userinfo"; + endpoint.method = "userinfo"; + fields = { + email = "email"; + username = "preferred_username"; + full-name = "name"; + }; + }; + }) + ]; +} diff --git a/system/dev/dn-pre7780/nginx.nix b/system/dev/dn-pre7780/nginx.nix index 2144d9e..664a7d1 100644 --- a/system/dev/dn-pre7780/nginx.nix +++ b/system/dev/dn-pre7780/nginx.nix @@ -14,7 +14,7 @@ email = "danny@net.dn"; dnsProvider = "pdns"; dnsPropagationCheck = false; - environmentFile = config.sops.secrets."acme/pdns".path; + # environmentFile = config.sops.secrets."acme/pdns".path; }; }; diff --git a/system/dev/dn-pre7780/secret.yaml b/system/dev/dn-pre7780/secret.yaml index dcaa552..a1fa457 100644 --- a/system/dev/dn-pre7780/secret.yaml +++ b/system/dev/dn-pre7780/secret.yaml @@ -3,7 +3,7 @@ wireguard: dovecot: openldap: ENC[AES256_GCM,data:U3YYreEqoh+F0Mrli52jgQowrUqIUPmdQps=,iv:vTjHBFsue+89GOCDigVIktgGSZNZv8A2e3GM80o6TXc=,tag:GGh+hsT+yV/I12meXxflbQ==,type:str] nextcloud: - adminPassword: ENC[AES256_GCM,data:7rC29qpvDGDZOuW+ONot,iv:+A7yoeys74IRsAR5unH4eHcgjbzF/UKZWY9Q0AVLN7U=,tag:v/KWQH+p0Yh9CIt7sHHDGA==,type:str] + adminPassword: ENC[AES256_GCM,data:8LjI2/vQ9aHQfZSMumnjBw==,iv:1hfhKz58v10JfPgipueQVOtlCgBXwruA00BOkhjuN/E=,tag:y/vqcztye4Xlokpbm/jHiw==,type:str] openldap: adminPassword: ENC[AES256_GCM,data:jEGuzgs5QTWfdyJenC3t3g==,iv:StfFOcvbDapnma6eAlpaGiBWnqiD3I/wfQsMBzufol0=,tag:892q7N4KrsSQoZYGy6CQrA==,type:str] lam: @@ -12,8 +12,12 @@ stalwart: adminPassword: ENC[AES256_GCM,data:6tUL7b2s3gLtF4Ors9CgYQ==,iv:9UQowgXKr9HR/poELP6SZijp3c2HVTHzEfwf1tZI/3w=,tag:KIOiYEwLsZLH31E2Xb478A==,type:str] tsig: ENC[AES256_GCM,data:wxsM/dbkW2fNf86b6TsLRNAce19h7mBEuSzFT84aIlaVZA/S29g1U4/CAwD4b+h/XfBgpZQCJf/9yT3yo6dbGAIAk5UgjV2cNY9pO1/uF1T6xoKDgfRZxA==,iv:9BvP8vQkTTEaNgYUPfQcfEMcWqDyD045EPBr7NyHmO4=,tag:coBBAe62kpe/L0S6V8NhXg==,type:str] db: ENC[AES256_GCM,data:ZRZ2ZzUotYMe2GfkMS7o7dz0aGg=,iv:ys6ogueueESp0y6A+hUG9zTnqmCVobuIzyqA4WVtewo=,tag:p74G+8XhMcpgDnIfh1aXTg==,type:str] + dkimKey: ENC[AES256_GCM,data:oi+XvZ9hMMsgMtFnGPMbVBGagkwQzcPQDi1b0Zd54615V5yuOLHZxpLT5Z3LYlCOQmOcrCaIwn8lQKIZbAuAq6HDUVlNabjgnHeoq3XRIvcswO/B9pljL/22JCZleSrWSBh+WE+RwQIcqUIr0eNerXCUaAQLTE8lYn6mJMa/OoHJJ3R498OGyM/8rbuIMfKj5eqJnctsd9lRWeNmiq7hpQKJ8syLXMsRM9y79NJTPGJrIAJ/5F8SfUJ256/S2N25Cq61pkaXWxTcZzXFgAGU/sa3zsY86BRwEnFEVRMnygJWrVZW/ABYgRjL99r6OBQM8WTFpE8cK9GZTpylTm+QCS9lHsAA2rnUfLTs/09z41klbGSAu5jfokM5jhyFIjmDm9h3hEk4l0F4KTWgQ7avWqGVx4yVPktrVS6eh6W7+I0V6BOUhzH0Pp9xXWwhbFrMPYAYK5MQSLAS5nd3RCQWrxZwWh//ATiWdngUeWPyObxXSTmoV254k230sT39jQmqmTK5zIkOBvokPps9q3nPq1i3UIkSAXo0ZWI+GHiL1rnzJkMMGViugJdGEwUf8nWlYMcYkHmDRUZam6DIxzkf5svtd+kbDTxRa4GzeJrOYizgwDGpD5vRA9u8i7MYBS1Rhw3UVqZ9gkjtv8mqoOkDqVnHVnS2UPtsircecvjHmhu4Tq4hn8phX3F+2I8lhXUIalzPng5zjPGNUcDT+SoCbNeHuSWDDmMYQtzM3/xwae9quP9FXhr9IGGygmFUPGsl3cuxSJ3+Cq9/Hhd7bnTYnxYfv781qTmZsFclMUWNxUJQWLJ+5BQz6u1zW64wh+5SHUGrw7CHFsdgNAKv7YN+GJMNTHOjZr9RTL9R8opDm8Iho5IyQjMP401+DY30mOCq03WKJiC8qehgoaH16ssNV6ZuoHldu2N6JKmiwywgTRq8zQEo8jPnro772CQ9Tg0/5PnkhdlLdphDEIp60IbM+XWqMNwHY57fm6U+81PcgtsoRmI5OklrrhQjv+1aRgz0vRM80FOHMv7kxgEdNkb1x15B4g0ocBXEdLuxJEVaW4uWlP9EIivXOWwaPZf1QjT8ISuUQlFMXvtNj/V3SraW3K1bErJL5JnI16z803kdoAqYijf3IrRK49SKoCq6B2V8yo8iCRod2GFt1P3ADKb/uvJ6iCBSlFRFwiJYr8qu7TPXFCpsoySEmr1edBQdAkzXxFZLDMczHq2BzUo2RPfwtDubG1GMWxzrbZ1T6N3j1+GXiyTX7XuKdpSpFlXtPuJcCIrX4D4xnjv1SqqXEcKJO9oUcdMK6+Eem7wtVDBDDYpWellT+bLmtouvdEgjYE8VG5UGJJ5NpYoJAce9c7RE5/ozuvUH+uMfqfb8igZQlBMl6hbqO7j8m11i+ijS9T6Wu2DCSVIqqBHu8bouz1vyfq8l/whJCl1BkaZtiE5+NLkHoYSOuXGtVvEuXwMhvCWdnkxJtHZxxXQuCcBcVkD9Edg0YTslGv+XUvaYRlfZUqypqYZ9zJ21en9XPK3zafZ5gRLdY0xhXN4OKbGrXXL4cm5jfroTeez9iIL4fJGcA80PRHUGoLfK7ht2z0Lq3U91F4jz5KEhbaDtWDcMryr1Bwb6UXgLrezNM290g8J3GpXLBAdvqDXK79jSdPNqptGYt++VDeCdtA+P3z9K6aMWZzPURkLXxZ1bWy5YXP03MIkUpZWsc5lQmccUiyFe/Y+d9RSAZClmVxsQAY5y90d42EhkrOag06geziV9aaxgr57LdoPJQabD48bIbFFvimhV2DS3Gf/7gFtCXlm9oZiIqSHG+1TMKRp8XVwn6f70d76/Ba5Uiu0EX8V2x0Dsnin6GGynMBFCPKPXssHRe71SfRVxPJrzlLjtfTdPuzW5Q2k/U//z9SWd6Ao3+mzsbTC8MAYGeIzeE4GdsTs4ViEQWg5sSMSfjeKOFfgpTQi20LGomjF4gtTfnchEUBcUAarV6+hT/inYG2SlglyWwr2+LE3Ua5FWRXsZu4tBHcfE0axIb6Ju5KeogPVPo6cNoJCR2XLPNQakB9ONniCxPTW6zOx8h/A2UeIWMgbAn/jNYdd4kFu1IWBAQaZg5kSg1KmSAtnKgFmhb8A0Ope8h5fKfdX5tf0ulW0bjBz+rqNf2FQwcB/ScuEc65LSX+b0bzvIILuZfSRytFQpaQ4svjjA6mP4VIRoPRkkRl+gTEO+Ue4No4VZGE9+YdRFZ7OmtH6S1e5vu1rBiLuTVayHjuSWRu0OmxDiErP6uXPy8Q==,iv:Q5g9kxJKEKLHge2mcgk/UnTNMDFjzeLFLNjlY8KWe60=,tag:yL03NWRK2whOxNjcR3cPyA==,type:str] + ldap: ENC[AES256_GCM,data:ygOPMCNIxvWxE9dPBeKGbA==,iv:t+p1/vjEZNDTw7LcaitzYv2xCPtlf/mmQhqXT1OFKXs=,tag:uPYp259FHZu5fut+Bc9eSA==,type:str] acme: pdns: ENC[AES256_GCM,data:+InGSnaGIFVtDRlVltzWbZfquzodHUQrPeMRBnVNB9mrajlKr5dFK6DD8dXAvN7UjZFBfrgZefOPkmLR2ncLXGOV2Kl7jorVw50Y0f0iKl7mqwHaZKaQdk7cpGDkCrt/LvfbP9x7gVrs6pQpsU+c/P5rbBLRyejchh/WtiyzgowYIJxYohggeG09+l7YI3FR6U5wiymIRISpNBGEhwG0q17qdAhdtc49qP/K,iv:JcSlxAwHwU528S7iSpAnSbUZw7iO+LMjR3qGwRHp+Zk=,tag:twf2WOQb/yZ3GtN/hlikMA==,type:str] +cloudflare: + secret: ENC[AES256_GCM,data:tritGdt3bWm/YtfdF2kO8qIBisa2rGF9/Dpl8R79e6REe//YKZFqFg==,iv:UG53JZ55+gDCPJzKjbVaWnpgOdvqcRoDUg8ef9xOV9A=,tag:JD3s28dsA9G2fqtz4soATA==,type:str] sops: age: - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv @@ -25,7 +29,7 @@ sops: MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-16T04:39:12Z" - mac: ENC[AES256_GCM,data:yRVAJz73AqlBm6fxeTehfSqlTLyRYIsPjC/5igpnGC8URUiK66SUtHJSE3196AaPV+CWJrxrXfNWoCmZsP85Rr5V9nw31ZF1boaAc0YzRQBxVmBBlAK7+9Z5KADShAetYNwk9qtCrXd6S8mCwmZjNJaN/Rthy3hchxzAB0/79R4=,iv:QeNUZfmnCx4QF/0wjU/JJRu6umNFC/weW2BJx+7OaPo=,tag:KsityLnPYhugFL4c6wrs6Q==,type:str] + lastmodified: "2025-09-20T11:44:16Z" + mac: ENC[AES256_GCM,data:ZNSn4h4r1d+9YBBpjJfI+AsYGOcC8r+A61KmmRf9JfyQiI0U8Le9C+ut45YQCMW3Q57a5q8NUN1GA72iCaXUk00UuESl4ybuqotrs0SVQ/QUbQCCANkItFck7XiNJ3AJY2zbWT09tI4FlnoW/ZHXMlSiPvo+hzCAEtAaM83JpIs=,iv:QKDsRjrJ7AVOY8TZm9O/g1vc81WD8xLYFBS9A/pfxZE=,tag:IMhI59NUHKH52Rs06TTZYg==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/system/dev/dn-pre7780/sops-conf.nix b/system/dev/dn-pre7780/sops-conf.nix index 705d309..90ace7a 100644 --- a/system/dev/dn-pre7780/sops-conf.nix +++ b/system/dev/dn-pre7780/sops-conf.nix @@ -1,9 +1,15 @@ { config, lib, ... }: +let + inherit (lib) optionalAttrs; +in { sops = { secrets = { "wireguard/conf" = { }; - "nextcloud/adminPassword" = { }; + "nextcloud/adminPassword" = lib.mkIf config.services.nextcloud.enable { + owner = "nextcloud"; + group = "nextcloud"; + }; "openldap/adminPassword" = lib.mkIf config.services.openldap.enable { owner = config.users.users.openldap.name; group = config.users.users.openldap.group; @@ -16,35 +22,37 @@ mode = "0660"; }; - "stalwart/adminPassword" = - let - inherit (config.users.users.stalwart-mail) name group; - in - lib.mkIf config.services.stalwart-mail.enable { - inherit group; - owner = name; + # "acme/pdns" = { + # mode = "0660"; + # owner = "acme"; + # group = "acme"; + # }; + } + // (optionalAttrs config.services.stalwart-mail.enable ( + let + inherit (config.users.users.stalwart-mail) name group; + owner = name; + in + { + "stalwart/adminPassword" = { + inherit group owner; }; - "stalwart/tsig" = - let - inherit (config.users.users.stalwart-mail) name group; - in - lib.mkIf config.services.stalwart-mail.enable { - inherit group; - owner = name; + "stalwart/tsig" = { + inherit group owner; }; - "stalwart/db" = - let - inherit (config.users.users.stalwart-mail) name group; - in - lib.mkIf config.services.stalwart-mail.enable { - inherit group; - owner = name; + "stalwart/db" = { + inherit group owner; }; - "acme/pdns" = { - mode = "0660"; - owner = "acme"; - group = "acme"; - }; - }; + "stalwart/dkimKey" = { + inherit group owner; + }; + "cloudflare/secret" = { + inherit group owner; + }; + "stalwart/ldap" = { + inherit group owner; + }; + } + )); }; } diff --git a/system/dev/dn-server/default.nix b/system/dev/dn-server/default.nix index eb2e6a5..190866c 100644 --- a/system/dev/dn-server/default.nix +++ b/system/dev/dn-server/default.nix @@ -56,6 +56,7 @@ in hostname = "nextcloud.net.dn"; dataBackupPath = "/mnt/backup_dn"; dbBackupPath = "/mnt/backup_dn"; + adminpassFile = config.sops.secrets."nextcloud/adminPassword".path; }) (import ../../modules/vaultwarden.nix { domain = "bitwarden.net.dn"; @@ -95,6 +96,7 @@ in mail-server = { enable = true; + configuraACME = true; mailDir = "~/Maildir"; caFile = "" + ../../extra/ca.crt; virtualMailDir = "/var/mail/vhosts"; @@ -127,7 +129,7 @@ in ../../../home/user/config.nix ../../../home/user/direnv.nix ../../../home/user/environment.nix - ../../../home/user/nvf.nix + ../../../home/user/nvf ../../../home/user/shell.nix ../../../home/user/tmux.nix ../../../home/user/yazi.nix diff --git a/system/dev/dn-server/services.nix b/system/dev/dn-server/services.nix index 9d64497..68a98ed 100644 --- a/system/dev/dn-server/services.nix +++ b/system/dev/dn-server/services.nix @@ -62,6 +62,7 @@ let allowedIPs = [ "10.0.0.8/32" ]; } ]; + meshRoute = [ { # pre7780.dn @@ -150,6 +151,12 @@ let publicKey = "K6Pd69/Hfu4ceCAp/JbeEL2QQ+/4ohugW1lAOxHFKDA="; allowedIPs = [ "10.0.0.147/32" ]; } + { + # GCP + dns = "gcp"; + publicKey = "5th0G9c7vHrhcByvPJAbrn2LXjLPqDEMsHzda0FGUTQ="; + allowedIPs = [ "10.0.0.148/32" ]; + } ]; in { diff --git a/system/modules/mail-server/default.nix b/system/modules/mail-server/default.nix index 3a9125f..d0f2aff 100644 --- a/system/modules/mail-server/default.nix +++ b/system/modules/mail-server/default.nix @@ -7,6 +7,11 @@ with lib; { options.mail-server = { enable = mkEnableOption "mail-server"; + + configureACME = mkEnableOption "Enable auto configuration of ACME" // { + default = false; + }; + caFile = mkOption { type = types.path; default = config.security.pki.caBundle; diff --git a/system/modules/mail-server/server.nix b/system/modules/mail-server/server.nix index 10c44ec..bcc4ce0 100644 --- a/system/modules/mail-server/server.nix +++ b/system/modules/mail-server/server.nix @@ -34,7 +34,7 @@ let in { config = mkIf cfg.enable { - security.acme.certs = { + security.acme.certs = mkIf cfg.configureACME { "${config.services.postfix.settings.main.myhostname}" = { dnsProvider = null; webroot = "/var/lib/acme/acme-challenge"; diff --git a/system/modules/nextcloud.nix b/system/modules/nextcloud.nix index 089f54a..684b484 100644 --- a/system/modules/nextcloud.nix +++ b/system/modules/nextcloud.nix @@ -1,9 +1,12 @@ { hostname, + adminpassFile, datadir ? null, dataBackupPath ? null, dbBackupPath ? null, https ? true, + configureACME ? true, + trusted ? [ ], }: { config, @@ -12,6 +15,10 @@ ... }: let + inherit (lib) mkIf; + + enableBackup = dataBackupPath != null || dbBackupPath != null; + nextcloudPkg = pkgs.nextcloud31.overrideAttrs (oldAttr: rec { caBundle = config.security.pki.caBundle; postPatch = '' @@ -77,13 +84,15 @@ in database.createLocally = true; config = { - adminpassFile = config.sops.secrets."nextcloud/adminPassword".path; + adminpassFile = adminpassFile; dbtype = "pgsql"; }; settings = { allow_local_remote_servers = true; log_type = "syslog"; + trusted_proxies = trusted; + trusted_domains = trusted; enabledPreviewProviders = [ "OC\\Preview\\BMP" "OC\\Preview\\GIF" @@ -102,7 +111,7 @@ in }; }; - services.nginx.virtualHosts.${hostname} = { + services.nginx.virtualHosts.${hostname} = mkIf configureACME { enableACME = true; forceSSL = true; }; @@ -112,7 +121,7 @@ in ]; systemd = { - timers = lib.mkIf (dataBackupPath != null || dbBackupPath != null) { + timers = lib.mkIf enableBackup { "nextcloud-backup" = { enable = true; description = "Nextcloud backup"; @@ -127,7 +136,7 @@ in }; }; - services."nextcloud-backup" = lib.mkIf (dataBackupPath != null || dbBackupPath != null) { + services."nextcloud-backup" = lib.mkIf enableBackup { enable = true; serviceConfig = { User = "nextcloud"; diff --git a/system/modules/stalwart.nix b/system/modules/stalwart.nix index 5c9e9b0..bc5b779 100644 --- a/system/modules/stalwart.nix +++ b/system/modules/stalwart.nix @@ -1,6 +1,9 @@ { adminPassFile, dbPassFile, + dkimKey, + ldapConf, + oidcConf, domain ? null, acmeConf ? null, enableNginx ? true, @@ -12,6 +15,17 @@ }: let inherit (lib) mkIf; + + logFilePath = "${config.services.stalwart-mail.dataDir}/logs"; + mkCondition = ( + condition: ithen: ielse: [ + { + "if" = condition; + "then" = ithen; + } + { "else" = ielse; } + ] + ); in { services.postgresql = { @@ -27,13 +41,23 @@ in ]; }; + systemd.tmpfiles.rules = + let + inherit (config.users.users.stalwart-mail) name group; + in + [ + "d ${logFilePath} 0750 ${name} ${group} - " + ]; + services.stalwart-mail = { enable = true; openFirewall = true; settings = { server = { hostname = if (domain != null) then "mx1.${domain}" else config.networking.fqdn; - auto-ban.scan.rate = "1000/1d"; + proxy = { + trusted-networks = [ "10.0.0.148" ]; + }; tls = { enable = true; implicit = true; @@ -42,56 +66,76 @@ in smtp = { protocol = "smtp"; bind = "[::]:25"; + proxy_protocol = true; + }; + submission = { + protocol = "smtp"; + bind = "[::]:587"; + proxy_protocol = true; }; submissions = { protocol = "smtp"; bind = "[::]:465"; tls.implicit = true; + proxy_protocol = true; }; imaps = { protocol = "imap"; bind = "[::]:993"; tls.implicit = true; + proxy_protocol = true; }; management = { protocol = "http"; - bind = [ "127.0.0.1:8080" ]; + bind = [ + "10.0.0.130:8080" + "127.0.0.1:8080" + ]; + proxy_protocol = true; }; }; }; + lookup.default = { hostname = "mx1.${domain}"; domain = "${domain}"; }; - acme."step-ca" = mkIf (acmeConf != null) acmeConf; + acme."letsencrypt" = mkIf (acmeConf != null) acmeConf; + session.auth = { - mechanisms = "[plain]"; - directory = "'in-memory'"; - require = true; - allow-plain-text = true; + mechanisms = "[PLAIN LOGIN OAUTHBEARER]"; + directory = mkCondition "listener != 'smtp'" "'ldap'" false; + require = mkCondition "listener != 'smtp'" true false; }; - storage.data = "db"; - store."db" = { - type = "postgresql"; - host = "localhost"; - port = 5432; - database = "stalwart"; - user = "stalwart"; - password = "%{file:${dbPassFile}}%"; + + session.rcpt = { + relay = mkCondition "!is_empty(authenticated_as)" true false; + directory = "'*'"; }; + directory = { - "imap".lookup.domains = [ domain ]; "in-memory" = { type = "memory"; principals = [ { - name = "admin"; - class = "admin"; + name = "danny"; + class = "individual"; secret = "%{file:${adminPassFile}}%"; - email = [ "admin@${domain}" ]; + email = [ "danny@${domain}" ]; + } + { + name = "postmaster"; + class = "individual"; + secret = "%{file:${adminPassFile}}%"; + email = [ "postmaster@${domain}" ]; } ]; }; + "ldap" = ldapConf; + imap.lookup.domains = [ + domain + ]; + "oidc" = oidcConf; }; authentication.fallback-admin = { user = "admin"; @@ -100,7 +144,16 @@ in tracer."stdout" = { enable = true; type = "console"; - level = "debug"; + level = "trace"; + }; + tracer."file" = { + enable = true; + type = "log"; + level = "trace"; + ansi = true; + path = logFilePath; + prefix = "stalwart.log"; + rotate = "daily"; }; }; };