feat: stalwart mail-server
This commit is contained in:
danny
parent
85feeb7b3f
commit
a565033341
16 changed files with 1192 additions and 442 deletions
|
|
@ -64,6 +64,14 @@
|
|||
|
||||
locations."/".proxyPass = "http://10.0.0.130:8001/phone.html";
|
||||
};
|
||||
|
||||
"ca.net.dn" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "https://10.0.0.1:8443/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,11 +33,20 @@ sops:
|
|||
- recipient: age1z6f643a6vqm7cqh6fna5dhmxfkgwxgqy8kg9s0vf9uxhaswtngtspmqsjw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuKzJObXlPVUJzUkEyZXlV
|
||||
Q0tEbzBPTy9kUXIwVmJkckUyWklUMzhCcTE0Ckh3bXIwRkpESTJYeTBPMGhQYk9y
|
||||
L2NQTWFuMWVqYzJHZGhTaHpDRE5CRGMKLS0tIEsybHdPMk9JeEM2cXFwdlpOeXRj
|
||||
Qm0wbmNGZDZwZlNTOVl0WVh5RXNxK2cK1Fwbgl5kKAFyrIIhBP+X4ZKFS4Xl39QY
|
||||
11qkglNgro/JBFJ/W7Hj5wtEd8QToiJM1RW0lQaI25sneQ2v6L5pDA==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYWpiZ0h3VURrcW0rV0Vj
|
||||
SFJwMlRUMHUyS1FGTEo3cHZJc1Z6a3FWbmtRCkdoZXhwOGJQNlV2dU8wRFRMUHVv
|
||||
QzhxU3RiVHl5UVpUNk10S2VRVy95OHMKLS0tIE9zbUNUU3ZINU1JNGtmd2trS2tI
|
||||
d3YxREtHcTBJYU1sNU9vMGZTUGh6NXMKtGKMnnamCAeftkQ0+Ygb/yg1NdyKDz1W
|
||||
UjYvW2PYKzkx8IWmIgzdAI3fWDOiE7tmBTMlX9C3/2PKR6dCc/a+SQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxc3pna3R3aG85bmt2WERa
|
||||
aG9TaDBKTlNMTUVwaFlIdkV0UmFJQStYSHdvCmNuYWJpN2M3QjRkV2s0MHJ4TzZP
|
||||
ZkhKc0xPUFBrblVFR1U4SUdjYzQ2cm8KLS0tIDVuNW9tRGoxanVKOUJYa2QwNFNz
|
||||
OTRiU0cxeXp5K1FjaWRGTnBHcnpUYmcKVVlueEj/DELe9Xi9iaBddpPPRmoUmD48
|
||||
wyjtlvKzS20zishE/D7GkHZ2ZdNsLD3AOnYZ6r6ATAndssC2YT/SXA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-08-29T07:40:00Z"
|
||||
mac: ENC[AES256_GCM,data:QeQ5NOrcq3uNmt+MiVF+Jr3JWWBNGPw5A8pSdd1WR426WWqHTRP7NHAaVbS3st9VSmoYY5NI6JKeizuAq/NCvzOZL3Idy9mP+3HD9VZwn1GNSEGfhn+KZT02AY0JHq29KxcZlAYiWZOL4p+blG2aWfGm9+zy1GHoEXoo3OVhaEg=,iv:8uIoOE0ZJZYGZoQaskCXQKr7vl6wjsmJ4iudhvtgqtY=,tag:fRLGalP92dDyF8q+zT97BQ==,type:str]
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@
|
|||
username,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
inherit username;
|
||||
|
||||
|
|
@ -13,10 +12,10 @@ let
|
|||
sshPortsString = builtins.concatStringsSep ", " (builtins.map (p: builtins.toString p) sshPorts);
|
||||
|
||||
personal = {
|
||||
inherit (config.networking) domain;
|
||||
ip = "10.0.0.1/24";
|
||||
interface = "wg0";
|
||||
port = 51820;
|
||||
domain = config.networking.domain;
|
||||
range = "10.0.0.0/24";
|
||||
full = "10.0.0.1/25";
|
||||
restrict = "10.0.0.128/25";
|
||||
|
|
@ -160,11 +159,13 @@ in
|
|||
kube.port
|
||||
25565
|
||||
kube.masterAPIServerPort
|
||||
5359
|
||||
];
|
||||
allowedTCPPorts = sshPorts ++ [
|
||||
53
|
||||
25565
|
||||
kube.masterAPIServerPort
|
||||
5359
|
||||
];
|
||||
};
|
||||
|
||||
|
|
@ -237,8 +238,7 @@ in
|
|||
listenPort = personal.port;
|
||||
privateKeyFile = config.sops.secrets."wireguard/privateKey".path;
|
||||
peers = builtins.map (r: {
|
||||
publicKey = r.publicKey;
|
||||
allowedIPs = r.allowedIPs;
|
||||
inherit (r) publicKey allowedIPs;
|
||||
}) (fullRoute ++ meshRoute);
|
||||
};
|
||||
|
||||
|
|
@ -254,31 +254,31 @@ in
|
|||
extraHosts = "${kube.masterIP} ${kube.masterHostname}";
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = lib.mkDefault true;
|
||||
authentication = ''
|
||||
host powerdnsadmin powerdnsadmin 127.0.0.1/32 trust
|
||||
'';
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "powerdnsadmin";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
{
|
||||
name = "pdns";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
ensureDatabases = [
|
||||
"powerdnsadmin"
|
||||
"pdns"
|
||||
];
|
||||
};
|
||||
|
||||
services = {
|
||||
dbus.enable = true;
|
||||
blueman.enable = true;
|
||||
|
||||
postgresql = {
|
||||
enable = lib.mkDefault true;
|
||||
authentication = ''
|
||||
host powerdnsadmin powerdnsadmin 127.0.0.1/32 trust
|
||||
'';
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "powerdnsadmin";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
{
|
||||
name = "pdns";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
ensureDatabases = [
|
||||
"powerdnsadmin"
|
||||
"pdns"
|
||||
];
|
||||
};
|
||||
|
||||
openssh = {
|
||||
enable = true;
|
||||
ports = sshPorts;
|
||||
|
|
@ -293,6 +293,7 @@ in
|
|||
enable = true;
|
||||
extraConfig = ''
|
||||
launch=gpgsql
|
||||
loglevel=6
|
||||
webserver-password=$WEB_PASSWORD
|
||||
api=yes
|
||||
api-key=$WEB_PASSWORD
|
||||
|
|
@ -302,6 +303,8 @@ in
|
|||
webserver=yes
|
||||
webserver-port=8081
|
||||
local-port=5359
|
||||
dnsupdate=yes
|
||||
allow-dnsupdate-from=10.0.0.0/24
|
||||
'';
|
||||
secretFile = config.sops.secrets.powerdns.path;
|
||||
};
|
||||
|
|
@ -310,6 +313,7 @@ in
|
|||
enable = true;
|
||||
forwardZones = {
|
||||
"${config.networking.domain}." = "127.0.0.1:5359";
|
||||
"pre7780.dn." = "127.0.0.1:5359";
|
||||
};
|
||||
forwardZonesRecurse = {
|
||||
"." = "8.8.8.8";
|
||||
|
|
@ -380,11 +384,16 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.raspamd-trainer = {
|
||||
after = [ "pdns-recursor.service" ];
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"powerdns.${config.networking.domain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://localhost:8000";
|
||||
locations."/api".proxyPass = "http://127.0.0.1:8081";
|
||||
locations."/".proxyPass = "http://127.0.0.1:8000";
|
||||
};
|
||||
|
||||
"uptime.${config.networking.domain}" = {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue