dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: stalwart proxy with ldap directory

Browse source
This commit is contained in:
danny 2025-09-20 22:55:35 +08:00
parent d7cf0baf67
commit 854caa3742
12 changed files with 229 additions and 87 deletions
Download patch file Download diff file Expand all files Collapse all files

2
home/user/waybar.nix
View file

@ -138,7 +138,7 @@ in
#memory, #memory,
#cpu, #cpu,
#pulseaudio { #pulseaudio {
font-size: ${toString (osConfig.stylix.fonts.sizes.desktop + 1)}px; font-size: ${toString (osConfig.stylix.fonts.sizes.desktop)}px;
} }
/* Main bar */ /* Main bar */

39
system/dev/dn-pre7780/default.nix
View file

@ -32,7 +32,12 @@ in
hardware.nvidia.open = lib.mkForce true; hardware.nvidia.open = lib.mkForce true;
imports = [ imports = [
./boot.nix # Extra Boot Options
./sops-conf.nix # Secret
./nginx.nix
./mail.nix
./hardware-configuration.nix ./hardware-configuration.nix
../../modules/presets/basic.nix ../../modules/presets/basic.nix
../../modules/sunshine.nix ../../modules/sunshine.nix
@ -43,8 +48,6 @@ in
nvidia-bus-id = "PCI:1:0:0"; nvidia-bus-id = "PCI:1:0:0";
}) })
./boot.nix # Extra Boot Options
./sops-conf.nix # Secret
../../modules/gaming.nix ../../modules/gaming.nix
# ../../modules/secure-boot.nix # ../../modules/secure-boot.nix
../../modules/virtualization.nix ../../modules/virtualization.nix
@ -59,37 +62,17 @@ in
]; ];
}) })
(import ../../modules/stalwart.nix { (import ../../modules/nextcloud.nix {
enableNginx = true; hostname = "nextcloud.pre7780.dn";
domain = "pre7780.dn"; configureACME = false;
adminPassFile = config.sops.secrets."stalwart/adminPassword".path; https = false;
dbPassFile = config.sops.secrets."stalwart/db".path; adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
acmeConf = { trusted = [ "nextcloud.daccc.info" ];
directory = "https://ca.net.dn/acme/acme/directory";
ca_bundle = "${"" + ../../extra/ca.crt}";
challenge = "dns-01";
origin = "pre7780.dn";
contact = "admin@pre7780.dn";
domains = [
"pre7780.dn"
"mx1.pre7780.dn"
];
default = true;
provider = "rfc2136-tsig";
host = "10.0.0.1";
renew-before = "1d";
port = 5359;
cache = "${config.services.stalwart-mail.dataDir}/acme";
key = "stalwart";
tsig-algorithm = "hmac-sha512";
secret = "%{file:${config.sops.secrets."stalwart/tsig".path}}%";
};
}) })
../../modules/davinci-resolve.nix ../../modules/davinci-resolve.nix
../../modules/webcam.nix ../../modules/webcam.nix
../../modules/postgresql.nix ../../modules/postgresql.nix
./nginx.nix
]; ];
# Live Sync D # Live Sync D

71
system/dev/dn-pre7780/mail.nix Normal file
View file

@ -0,0 +1,71 @@
{ config, ... }:
let
domain = "daccc.info";
fqdn = "mx1.daccc.info";
in
{
networking.firewall.allowedTCPPorts = [ 8080 ];
imports = [
(import ../../modules/stalwart.nix {
inherit domain;
enableNginx = false;
dkimKey = config.sops.secrets."stalwart/dkimKey".path;
adminPassFile = config.sops.secrets."stalwart/adminPassword".path;
dbPassFile = config.sops.secrets."stalwart/db".path;
acmeConf = {
directory = "https://acme-v02.api.letsencrypt.org/directory";
origin = "${domain}";
contact = "admin@${domain}";
domains = [
domain
fqdn
];
challenge = "dns-01";
cache = "${config.services.stalwart-mail.dataDir}/acme";
default = true;
provider = "cloudflare";
renew-before = "30d";
secret = "%{file:${config.sops.secrets."cloudflare/secret".path}}%";
};
ldapConf = {
type = "ldap";
url = "ldap://10.0.0.1:389";
timeout = "30s";
base-dn = "dc=net,dc=dn";
attributes = {
name = "uid";
email = "mail";
secret = "userPassword";
description = [
"cn"
"description"
];
class = "objectClass";
};
filter = {
name = "(&(objectClass=inetOrgPerson)(uid=?))";
email = "(&(objectClass=inetOrgPerson)(mail=?))";
};
bind = {
dn = "cn=admin,dc=net,dc=dn";
secret = "%{file:${config.sops.secrets."stalwart/ldap".path}}%";
auth = {
method = "lookup";
};
};
};
oidcConf = {
type = "oidc";
timeout = "1s";
endpoint.url = "https://keycloak.net.dn/realms/master/protocol/openid-connect/userinfo";
endpoint.method = "userinfo";
fields = {
email = "email";
username = "preferred_username";
full-name = "name";
};
};
})
];
}

2
system/dev/dn-pre7780/nginx.nix
View file

@ -14,7 +14,7 @@
email = "danny@net.dn"; email = "danny@net.dn";
dnsProvider = "pdns"; dnsProvider = "pdns";
dnsPropagationCheck = false; dnsPropagationCheck = false;
environmentFile = config.sops.secrets."acme/pdns".path; # environmentFile = config.sops.secrets."acme/pdns".path;
}; };
}; };

10
system/dev/dn-pre7780/secret.yaml
View file

@ -3,7 +3,7 @@ wireguard:
dovecot: dovecot:
openldap: ENC[AES256_GCM,data:U3YYreEqoh+F0Mrli52jgQowrUqIUPmdQps=,iv:vTjHBFsue+89GOCDigVIktgGSZNZv8A2e3GM80o6TXc=,tag:GGh+hsT+yV/I12meXxflbQ==,type:str] openldap: ENC[AES256_GCM,data:U3YYreEqoh+F0Mrli52jgQowrUqIUPmdQps=,iv:vTjHBFsue+89GOCDigVIktgGSZNZv8A2e3GM80o6TXc=,tag:GGh+hsT+yV/I12meXxflbQ==,type:str]
nextcloud: nextcloud:
adminPassword: ENC[AES256_GCM,data:7rC29qpvDGDZOuW+ONot,iv:+A7yoeys74IRsAR5unH4eHcgjbzF/UKZWY9Q0AVLN7U=,tag:v/KWQH+p0Yh9CIt7sHHDGA==,type:str] adminPassword: ENC[AES256_GCM,data:8LjI2/vQ9aHQfZSMumnjBw==,iv:1hfhKz58v10JfPgipueQVOtlCgBXwruA00BOkhjuN/E=,tag:y/vqcztye4Xlokpbm/jHiw==,type:str]
openldap: openldap:
adminPassword: ENC[AES256_GCM,data:jEGuzgs5QTWfdyJenC3t3g==,iv:StfFOcvbDapnma6eAlpaGiBWnqiD3I/wfQsMBzufol0=,tag:892q7N4KrsSQoZYGy6CQrA==,type:str] adminPassword: ENC[AES256_GCM,data:jEGuzgs5QTWfdyJenC3t3g==,iv:StfFOcvbDapnma6eAlpaGiBWnqiD3I/wfQsMBzufol0=,tag:892q7N4KrsSQoZYGy6CQrA==,type:str]
lam: lam:
@ -12,8 +12,12 @@ stalwart:
adminPassword: ENC[AES256_GCM,data:6tUL7b2s3gLtF4Ors9CgYQ==,iv:9UQowgXKr9HR/poELP6SZijp3c2HVTHzEfwf1tZI/3w=,tag:KIOiYEwLsZLH31E2Xb478A==,type:str] adminPassword: ENC[AES256_GCM,data:6tUL7b2s3gLtF4Ors9CgYQ==,iv:9UQowgXKr9HR/poELP6SZijp3c2HVTHzEfwf1tZI/3w=,tag:KIOiYEwLsZLH31E2Xb478A==,type:str]
tsig: ENC[AES256_GCM,data:wxsM/dbkW2fNf86b6TsLRNAce19h7mBEuSzFT84aIlaVZA/S29g1U4/CAwD4b+h/XfBgpZQCJf/9yT3yo6dbGAIAk5UgjV2cNY9pO1/uF1T6xoKDgfRZxA==,iv:9BvP8vQkTTEaNgYUPfQcfEMcWqDyD045EPBr7NyHmO4=,tag:coBBAe62kpe/L0S6V8NhXg==,type:str] tsig: ENC[AES256_GCM,data:wxsM/dbkW2fNf86b6TsLRNAce19h7mBEuSzFT84aIlaVZA/S29g1U4/CAwD4b+h/XfBgpZQCJf/9yT3yo6dbGAIAk5UgjV2cNY9pO1/uF1T6xoKDgfRZxA==,iv:9BvP8vQkTTEaNgYUPfQcfEMcWqDyD045EPBr7NyHmO4=,tag:coBBAe62kpe/L0S6V8NhXg==,type:str]
db: ENC[AES256_GCM,data:ZRZ2ZzUotYMe2GfkMS7o7dz0aGg=,iv:ys6ogueueESp0y6A+hUG9zTnqmCVobuIzyqA4WVtewo=,tag:p74G+8XhMcpgDnIfh1aXTg==,type:str] db: ENC[AES256_GCM,data:ZRZ2ZzUotYMe2GfkMS7o7dz0aGg=,iv:ys6ogueueESp0y6A+hUG9zTnqmCVobuIzyqA4WVtewo=,tag:p74G+8XhMcpgDnIfh1aXTg==,type:str]
dkimKey: ENC[AES256_GCM,data:oi+XvZ9hMMsgMtFnGPMbVBGagkwQzcPQDi1b0Zd54615V5yuOLHZxpLT5Z3LYlCOQmOcrCaIwn8lQKIZbAuAq6HDUVlNabjgnHeoq3XRIvcswO/B9pljL/22JCZleSrWSBh+WE+RwQIcqUIr0eNerXCUaAQLTE8lYn6mJMa/OoHJJ3R498OGyM/8rbuIMfKj5eqJnctsd9lRWeNmiq7hpQKJ8syLXMsRM9y79NJTPGJrIAJ/5F8SfUJ256/S2N25Cq61pkaXWxTcZzXFgAGU/sa3zsY86BRwEnFEVRMnygJWrVZW/ABYgRjL99r6OBQM8WTFpE8cK9GZTpylTm+QCS9lHsAA2rnUfLTs/09z41klbGSAu5jfokM5jhyFIjmDm9h3hEk4l0F4KTWgQ7avWqGVx4yVPktrVS6eh6W7+I0V6BOUhzH0Pp9xXWwhbFrMPYAYK5MQSLAS5nd3RCQWrxZwWh//ATiWdngUeWPyObxXSTmoV254k230sT39jQmqmTK5zIkOBvokPps9q3nPq1i3UIkSAXo0ZWI+GHiL1rnzJkMMGViugJdGEwUf8nWlYMcYkHmDRUZam6DIxzkf5svtd+kbDTxRa4GzeJrOYizgwDGpD5vRA9u8i7MYBS1Rhw3UVqZ9gkjtv8mqoOkDqVnHVnS2UPtsircecvjHmhu4Tq4hn8phX3F+2I8lhXUIalzPng5zjPGNUcDT+SoCbNeHuSWDDmMYQtzM3/xwae9quP9FXhr9IGGygmFUPGsl3cuxSJ3+Cq9/Hhd7bnTYnxYfv781qTmZsFclMUWNxUJQWLJ+5BQz6u1zW64wh+5SHUGrw7CHFsdgNAKv7YN+GJMNTHOjZr9RTL9R8opDm8Iho5IyQjMP401+DY30mOCq03WKJiC8qehgoaH16ssNV6ZuoHldu2N6JKmiwywgTRq8zQEo8jPnro772CQ9Tg0/5PnkhdlLdphDEIp60IbM+XWqMNwHY57fm6U+81PcgtsoRmI5OklrrhQjv+1aRgz0vRM80FOHMv7kxgEdNkb1x15B4g0ocBXEdLuxJEVaW4uWlP9EIivXOWwaPZf1QjT8ISuUQlFMXvtNj/V3SraW3K1bErJL5JnI16z803kdoAqYijf3IrRK49SKoCq6B2V8yo8iCRod2GFt1P3ADKb/uvJ6iCBSlFRFwiJYr8qu7TPXFCpsoySEmr1edBQdAkzXxFZLDMczHq2BzUo2RPfwtDubG1GMWxzrbZ1T6N3j1+GXiyTX7XuKdpSpFlXtPuJcCIrX4D4xnjv1SqqXEcKJO9oUcdMK6+Eem7wtVDBDDYpWellT+bLmtouvdEgjYE8VG5UGJJ5NpYoJAce9c7RE5/ozuvUH+uMfqfb8igZQlBMl6hbqO7j8m11i+ijS9T6Wu2DCSVIqqBHu8bouz1vyfq8l/whJCl1BkaZtiE5+NLkHoYSOuXGtVvEuXwMhvCWdnkxJtHZxxXQuCcBcVkD9Edg0YTslGv+XUvaYRlfZUqypqYZ9zJ21en9XPK3zafZ5gRLdY0xhXN4OKbGrXXL4cm5jfroTeez9iIL4fJGcA80PRHUGoLfK7ht2z0Lq3U91F4jz5KEhbaDtWDcMryr1Bwb6UXgLrezNM290g8J3GpXLBAdvqDXK79jSdPNqptGYt++VDeCdtA+P3z9K6aMWZzPURkLXxZ1bWy5YXP03MIkUpZWsc5lQmccUiyFe/Y+d9RSAZClmVxsQAY5y90d42EhkrOag06geziV9aaxgr57LdoPJQabD48bIbFFvimhV2DS3Gf/7gFtCXlm9oZiIqSHG+1TMKRp8XVwn6f70d76/Ba5Uiu0EX8V2x0Dsnin6GGynMBFCPKPXssHRe71SfRVxPJrzlLjtfTdPuzW5Q2k/U//z9SWd6Ao3+mzsbTC8MAYGeIzeE4GdsTs4ViEQWg5sSMSfjeKOFfgpTQi20LGomjF4gtTfnchEUBcUAarV6+hT/inYG2SlglyWwr2+LE3Ua5FWRXsZu4tBHcfE0axIb6Ju5KeogPVPo6cNoJCR2XLPNQakB9ONniCxPTW6zOx8h/A2UeIWMgbAn/jNYdd4kFu1IWBAQaZg5kSg1KmSAtnKgFmhb8A0Ope8h5fKfdX5tf0ulW0bjBz+rqNf2FQwcB/ScuEc65LSX+b0bzvIILuZfSRytFQpaQ4svjjA6mP4VIRoPRkkRl+gTEO+Ue4No4VZGE9+YdRFZ7OmtH6S1e5vu1rBiLuTVayHjuSWRu0OmxDiErP6uXPy8Q==,iv:Q5g9kxJKEKLHge2mcgk/UnTNMDFjzeLFLNjlY8KWe60=,tag:yL03NWRK2whOxNjcR3cPyA==,type:str]
ldap: ENC[AES256_GCM,data:ygOPMCNIxvWxE9dPBeKGbA==,iv:t+p1/vjEZNDTw7LcaitzYv2xCPtlf/mmQhqXT1OFKXs=,tag:uPYp259FHZu5fut+Bc9eSA==,type:str]
acme: acme:
pdns: ENC[AES256_GCM,data:+InGSnaGIFVtDRlVltzWbZfquzodHUQrPeMRBnVNB9mrajlKr5dFK6DD8dXAvN7UjZFBfrgZefOPkmLR2ncLXGOV2Kl7jorVw50Y0f0iKl7mqwHaZKaQdk7cpGDkCrt/LvfbP9x7gVrs6pQpsU+c/P5rbBLRyejchh/WtiyzgowYIJxYohggeG09+l7YI3FR6U5wiymIRISpNBGEhwG0q17qdAhdtc49qP/K,iv:JcSlxAwHwU528S7iSpAnSbUZw7iO+LMjR3qGwRHp+Zk=,tag:twf2WOQb/yZ3GtN/hlikMA==,type:str] pdns: ENC[AES256_GCM,data:+InGSnaGIFVtDRlVltzWbZfquzodHUQrPeMRBnVNB9mrajlKr5dFK6DD8dXAvN7UjZFBfrgZefOPkmLR2ncLXGOV2Kl7jorVw50Y0f0iKl7mqwHaZKaQdk7cpGDkCrt/LvfbP9x7gVrs6pQpsU+c/P5rbBLRyejchh/WtiyzgowYIJxYohggeG09+l7YI3FR6U5wiymIRISpNBGEhwG0q17qdAhdtc49qP/K,iv:JcSlxAwHwU528S7iSpAnSbUZw7iO+LMjR3qGwRHp+Zk=,tag:twf2WOQb/yZ3GtN/hlikMA==,type:str]
cloudflare:
secret: ENC[AES256_GCM,data:tritGdt3bWm/YtfdF2kO8qIBisa2rGF9/Dpl8R79e6REe//YKZFqFg==,iv:UG53JZ55+gDCPJzKjbVaWnpgOdvqcRoDUg8ef9xOV9A=,tag:JD3s28dsA9G2fqtz4soATA==,type:str]
sops: sops:
age: age:
- recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv - recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
@ -25,7 +29,7 @@ sops:
MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w
lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA== lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-16T04:39:12Z" lastmodified: "2025-09-20T11:44:16Z"
mac: ENC[AES256_GCM,data:yRVAJz73AqlBm6fxeTehfSqlTLyRYIsPjC/5igpnGC8URUiK66SUtHJSE3196AaPV+CWJrxrXfNWoCmZsP85Rr5V9nw31ZF1boaAc0YzRQBxVmBBlAK7+9Z5KADShAetYNwk9qtCrXd6S8mCwmZjNJaN/Rthy3hchxzAB0/79R4=,iv:QeNUZfmnCx4QF/0wjU/JJRu6umNFC/weW2BJx+7OaPo=,tag:KsityLnPYhugFL4c6wrs6Q==,type:str] mac: ENC[AES256_GCM,data:ZNSn4h4r1d+9YBBpjJfI+AsYGOcC8r+A61KmmRf9JfyQiI0U8Le9C+ut45YQCMW3Q57a5q8NUN1GA72iCaXUk00UuESl4ybuqotrs0SVQ/QUbQCCANkItFck7XiNJ3AJY2zbWT09tI4FlnoW/ZHXMlSiPvo+hzCAEtAaM83JpIs=,iv:QKDsRjrJ7AVOY8TZm9O/g1vc81WD8xLYFBS9A/pfxZE=,tag:IMhI59NUHKH52Rs06TTZYg==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2

64
system/dev/dn-pre7780/sops-conf.nix
View file

@ -1,9 +1,15 @@
{ config, lib, ... }: { config, lib, ... }:
let
inherit (lib) optionalAttrs;
in
{ {
sops = { sops = {
secrets = { secrets = {
"wireguard/conf" = { }; "wireguard/conf" = { };
"nextcloud/adminPassword" = { }; "nextcloud/adminPassword" = lib.mkIf config.services.nextcloud.enable {
owner = "nextcloud";
group = "nextcloud";
};
"openldap/adminPassword" = lib.mkIf config.services.openldap.enable { "openldap/adminPassword" = lib.mkIf config.services.openldap.enable {
owner = config.users.users.openldap.name; owner = config.users.users.openldap.name;
group = config.users.users.openldap.group; group = config.users.users.openldap.group;
@ -16,35 +22,37 @@
mode = "0660"; mode = "0660";
}; };
"stalwart/adminPassword" = # "acme/pdns" = {
let # mode = "0660";
inherit (config.users.users.stalwart-mail) name group; # owner = "acme";
in # group = "acme";
lib.mkIf config.services.stalwart-mail.enable { # };
inherit group; }
owner = name; // (optionalAttrs config.services.stalwart-mail.enable (
let
inherit (config.users.users.stalwart-mail) name group;
owner = name;
in
{
"stalwart/adminPassword" = {
inherit group owner;
}; };
"stalwart/tsig" = "stalwart/tsig" = {
let inherit group owner;
inherit (config.users.users.stalwart-mail) name group;
in
lib.mkIf config.services.stalwart-mail.enable {
inherit group;
owner = name;
}; };
"stalwart/db" = "stalwart/db" = {
let inherit group owner;
inherit (config.users.users.stalwart-mail) name group;
in
lib.mkIf config.services.stalwart-mail.enable {
inherit group;
owner = name;
}; };
"acme/pdns" = { "stalwart/dkimKey" = {
mode = "0660"; inherit group owner;
owner = "acme"; };
group = "acme"; "cloudflare/secret" = {
}; inherit group owner;
}; };
"stalwart/ldap" = {
inherit group owner;
};
}
));
}; };
} }

4
system/dev/dn-server/default.nix
View file

@ -56,6 +56,7 @@ in
hostname = "nextcloud.net.dn"; hostname = "nextcloud.net.dn";
dataBackupPath = "/mnt/backup_dn"; dataBackupPath = "/mnt/backup_dn";
dbBackupPath = "/mnt/backup_dn"; dbBackupPath = "/mnt/backup_dn";
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
}) })
(import ../../modules/vaultwarden.nix { (import ../../modules/vaultwarden.nix {
domain = "bitwarden.net.dn"; domain = "bitwarden.net.dn";
@ -95,6 +96,7 @@ in
mail-server = { mail-server = {
enable = true; enable = true;
configuraACME = true;
mailDir = "~/Maildir"; mailDir = "~/Maildir";
caFile = "" + ../../extra/ca.crt; caFile = "" + ../../extra/ca.crt;
virtualMailDir = "/var/mail/vhosts"; virtualMailDir = "/var/mail/vhosts";
@ -127,7 +129,7 @@ in
../../../home/user/config.nix ../../../home/user/config.nix
../../../home/user/direnv.nix ../../../home/user/direnv.nix
../../../home/user/environment.nix ../../../home/user/environment.nix
../../../home/user/nvf.nix ../../../home/user/nvf
../../../home/user/shell.nix ../../../home/user/shell.nix
../../../home/user/tmux.nix ../../../home/user/tmux.nix
../../../home/user/yazi.nix ../../../home/user/yazi.nix

7
system/dev/dn-server/services.nix
View file

@ -62,6 +62,7 @@ let
allowedIPs = [ "10.0.0.8/32" ]; allowedIPs = [ "10.0.0.8/32" ];
} }
]; ];
meshRoute = [ meshRoute = [
{ {
# pre7780.dn # pre7780.dn
@ -150,6 +151,12 @@ let
publicKey = "K6Pd69/Hfu4ceCAp/JbeEL2QQ+/4ohugW1lAOxHFKDA="; publicKey = "K6Pd69/Hfu4ceCAp/JbeEL2QQ+/4ohugW1lAOxHFKDA=";
allowedIPs = [ "10.0.0.147/32" ]; allowedIPs = [ "10.0.0.147/32" ];
} }
{
# GCP
dns = "gcp";
publicKey = "5th0G9c7vHrhcByvPJAbrn2LXjLPqDEMsHzda0FGUTQ=";
allowedIPs = [ "10.0.0.148/32" ];
}
]; ];
in in
{ {

5
system/modules/mail-server/default.nix
View file

@ -7,6 +7,11 @@ with lib;
{ {
options.mail-server = { options.mail-server = {
enable = mkEnableOption "mail-server"; enable = mkEnableOption "mail-server";
configureACME = mkEnableOption "Enable auto configuration of ACME" // {
default = false;
};
caFile = mkOption { caFile = mkOption {
type = types.path; type = types.path;
default = config.security.pki.caBundle; default = config.security.pki.caBundle;

2
system/modules/mail-server/server.nix
View file

@ -34,7 +34,7 @@ let
in in
{ {
config = mkIf cfg.enable { config = mkIf cfg.enable {
security.acme.certs = { security.acme.certs = mkIf cfg.configureACME {
"${config.services.postfix.settings.main.myhostname}" = { "${config.services.postfix.settings.main.myhostname}" = {
dnsProvider = null; dnsProvider = null;
webroot = "/var/lib/acme/acme-challenge"; webroot = "/var/lib/acme/acme-challenge";

17
system/modules/nextcloud.nix
View file

@ -1,9 +1,12 @@
{ {
hostname, hostname,
adminpassFile,
datadir ? null, datadir ? null,
dataBackupPath ? null, dataBackupPath ? null,
dbBackupPath ? null, dbBackupPath ? null,
https ? true, https ? true,
configureACME ? true,
trusted ? [ ],
}: }:
{ {
config, config,
@ -12,6 +15,10 @@
... ...
}: }:
let let
inherit (lib) mkIf;
enableBackup = dataBackupPath != null || dbBackupPath != null;
nextcloudPkg = pkgs.nextcloud31.overrideAttrs (oldAttr: rec { nextcloudPkg = pkgs.nextcloud31.overrideAttrs (oldAttr: rec {
caBundle = config.security.pki.caBundle; caBundle = config.security.pki.caBundle;
postPatch = '' postPatch = ''
@ -77,13 +84,15 @@ in
database.createLocally = true; database.createLocally = true;
config = { config = {
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path; adminpassFile = adminpassFile;
dbtype = "pgsql"; dbtype = "pgsql";
}; };
settings = { settings = {
allow_local_remote_servers = true; allow_local_remote_servers = true;
log_type = "syslog"; log_type = "syslog";
trusted_proxies = trusted;
trusted_domains = trusted;
enabledPreviewProviders = [ enabledPreviewProviders = [
"OC\\Preview\\BMP" "OC\\Preview\\BMP"
"OC\\Preview\\GIF" "OC\\Preview\\GIF"
@ -102,7 +111,7 @@ in
}; };
}; };
services.nginx.virtualHosts.${hostname} = { services.nginx.virtualHosts.${hostname} = mkIf configureACME {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
}; };
@ -112,7 +121,7 @@ in
]; ];
systemd = { systemd = {
timers = lib.mkIf (dataBackupPath != null || dbBackupPath != null) { timers = lib.mkIf enableBackup {
"nextcloud-backup" = { "nextcloud-backup" = {
enable = true; enable = true;
description = "Nextcloud backup"; description = "Nextcloud backup";
@ -127,7 +136,7 @@ in
}; };
}; };
services."nextcloud-backup" = lib.mkIf (dataBackupPath != null || dbBackupPath != null) { services."nextcloud-backup" = lib.mkIf enableBackup {
enable = true; enable = true;
serviceConfig = { serviceConfig = {
User = "nextcloud"; User = "nextcloud";

93
system/modules/stalwart.nix
View file

@ -1,6 +1,9 @@
{ {
adminPassFile, adminPassFile,
dbPassFile, dbPassFile,
dkimKey,
ldapConf,
oidcConf,
domain ? null, domain ? null,
acmeConf ? null, acmeConf ? null,
enableNginx ? true, enableNginx ? true,
@ -12,6 +15,17 @@
}: }:
let let
inherit (lib) mkIf; inherit (lib) mkIf;
logFilePath = "${config.services.stalwart-mail.dataDir}/logs";
mkCondition = (
condition: ithen: ielse: [
{
"if" = condition;
"then" = ithen;
}
{ "else" = ielse; }
]
);
in in
{ {
services.postgresql = { services.postgresql = {
@ -27,13 +41,23 @@ in
]; ];
}; };
systemd.tmpfiles.rules =
let
inherit (config.users.users.stalwart-mail) name group;
in
[
"d ${logFilePath} 0750 ${name} ${group} - "
];
services.stalwart-mail = { services.stalwart-mail = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
settings = { settings = {
server = { server = {
hostname = if (domain != null) then "mx1.${domain}" else config.networking.fqdn; hostname = if (domain != null) then "mx1.${domain}" else config.networking.fqdn;
auto-ban.scan.rate = "1000/1d"; proxy = {
trusted-networks = [ "10.0.0.148" ];
};
tls = { tls = {
enable = true; enable = true;
implicit = true; implicit = true;
@ -42,56 +66,76 @@ in
smtp = { smtp = {
protocol = "smtp"; protocol = "smtp";
bind = "[::]:25"; bind = "[::]:25";
proxy_protocol = true;
};
submission = {
protocol = "smtp";
bind = "[::]:587";
proxy_protocol = true;
}; };
submissions = { submissions = {
protocol = "smtp"; protocol = "smtp";
bind = "[::]:465"; bind = "[::]:465";
tls.implicit = true; tls.implicit = true;
proxy_protocol = true;
}; };
imaps = { imaps = {
protocol = "imap"; protocol = "imap";
bind = "[::]:993"; bind = "[::]:993";
tls.implicit = true; tls.implicit = true;
proxy_protocol = true;
}; };
management = { management = {
protocol = "http"; protocol = "http";
bind = [ "127.0.0.1:8080" ]; bind = [
"10.0.0.130:8080"
"127.0.0.1:8080"
];
proxy_protocol = true;
}; };
}; };
}; };
lookup.default = { lookup.default = {
hostname = "mx1.${domain}"; hostname = "mx1.${domain}";
domain = "${domain}"; domain = "${domain}";
}; };
acme."step-ca" = mkIf (acmeConf != null) acmeConf; acme."letsencrypt" = mkIf (acmeConf != null) acmeConf;
session.auth = { session.auth = {
mechanisms = "[plain]"; mechanisms = "[PLAIN LOGIN OAUTHBEARER]";
directory = "'in-memory'"; directory = mkCondition "listener != 'smtp'" "'ldap'" false;
require = true; require = mkCondition "listener != 'smtp'" true false;
allow-plain-text = true;
}; };
storage.data = "db";
store."db" = { session.rcpt = {
type = "postgresql"; relay = mkCondition "!is_empty(authenticated_as)" true false;
host = "localhost"; directory = "'*'";
port = 5432;
database = "stalwart";
user = "stalwart";
password = "%{file:${dbPassFile}}%";
}; };
directory = { directory = {
"imap".lookup.domains = [ domain ];
"in-memory" = { "in-memory" = {
type = "memory"; type = "memory";
principals = [ principals = [
{ {
name = "admin"; name = "danny";
class = "admin"; class = "individual";
secret = "%{file:${adminPassFile}}%"; secret = "%{file:${adminPassFile}}%";
email = [ "admin@${domain}" ]; email = [ "danny@${domain}" ];
}
{
name = "postmaster";
class = "individual";
secret = "%{file:${adminPassFile}}%";
email = [ "postmaster@${domain}" ];
} }
]; ];
}; };
"ldap" = ldapConf;
imap.lookup.domains = [
domain
];
"oidc" = oidcConf;
}; };
authentication.fallback-admin = { authentication.fallback-admin = {
user = "admin"; user = "admin";
@ -100,7 +144,16 @@ in
tracer."stdout" = { tracer."stdout" = {
enable = true; enable = true;
type = "console"; type = "console";
level = "debug"; level = "trace";
};
tracer."file" = {
enable = true;
type = "log";
level = "trace";
ansi = true;
path = logFilePath;
prefix = "stalwart.log";
rotate = "daily";
}; };
}; };
}; };