feat: mailserver

2025-08-14 12:27:49 +08:00 · 2025-08-14 12:27:49 +08:00 · b8a31b6264
commit b8a31b6264
parent 0ebf0d7a29
28 changed files with 2446 additions and 1350 deletions
--- a/system/dev/dn-server/default.nix
+++ b/system/dev/dn-server/default.nix
@ -1,9 +1,14 @@
 {
  pkgs,
+  lib,
  inputs,
  username,
  ...
 }:
+let
+  inherit (lib) optionalAttrs;
+  inherit (builtins) toString;
+in
 {
  imports = [
    (import ../../modules/nvidia.nix {
@ -18,28 +23,97 @@
    ./services.nix
    ./nginx.nix
    ./step-ca.nix
-    ./mail-server.nix
    ../../modules/presets/minimal.nix
    ../../modules/bluetooth.nix
    ../../modules/gc.nix
-    ../../modules/certbot.nix
+    ../../modules/mail-server
+    (import ../../modules/prometheus.nix {
+      fqdn = "metrics.net.dn";
+      selfMonitor = true;
+      configureNginx = true;
+      scrapes = [
+        (optionalAttrs config.services.pdns-recursor.enable {
+          job_name = "powerdns_recursor";
+          static_configs = [
+            {
+              targets = [ "localhost:${toString config.services.pdns-recursor.api.port}" ];
+            }
+          ];
+        })
+      ];
+    })
+    (import ../../modules/actual.nix {
+      fqdn = "actual.net.dn";
+    })
    (import ../../modules/nextcloud.nix {
      hostname = "nextcloud.net.dn";
      dataBackupPath = "/mnt/backup_dn";
      dbBackupPath = "/mnt/backup_dn";
    })
    (import ../../modules/vaultwarden.nix {
-      domain = "https://bitwarden.net.dn";
+      domain = "bitwarden.net.dn";
    })
-    (import ../../modules/openldap.nix { })
-    ../../modules/terraria.nix
+    (import ../../modules/grafana.nix {
+      domain = "grafana.net.dn";
+      passFile = config.sops.secrets."grafana/password".path;
+      smtpHost = config.mail-server.domain;
+      smtpDomain = config.mail-server.domain;
+      extraSettings = {
+        "auth.generic_oauth" =
+          let
+            OIDCBaseUrl = "https://keycloak.net.dn/realms/master/protocol/openid-connect";
+          in
+          {
+            enabled = true;
+            allow_sign_up = true;
+            client_id = "grafana";
+            client_secret = ''$__file{${config.sops.secrets."grafana/client_secret".path}}'';
+            scopes = "openid email profile offline_access roles";
+            email_attribute_path = "email";
+            login_attribute_path = "username";
+            name_attribute_path = "full_name";
+            auth_url = "${OIDCBaseUrl}/auth";
+            token_url = "${OIDCBaseUrl}/token";
+            api_url = "${OIDCBaseUrl}/userinfo";
+            role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
+          };
+      };
+    })
+    ../../modules/postgresql.nix
  ];

  environment.systemPackages = with pkgs; [
-    ferium
    openssl
  ];

+  mail-server = {
+    enable = true;
+    mailDir = "~/Maildir";
+    caFile = "" + ../../extra/ca.crt;
+    virtualMailDir = "/var/mail/vhosts";
+    domain = "net.dn";
+    rootAlias = "${settings.personal.username}";
+    networks = [
+      "127.0.0.0/8"
+      "10.0.0.0/24"
+    ];
+    virtual = ''
+      admin@net.dn ${settings.personal.username}@net.dn
+      postmaster@net.dn ${settings.personal.username}@net.dn
+    '';
+    openFirewall = true;
+    oauth = {
+      passwordFile = config.sops.secrets."oauth/password".path;
+    };
+    ldap = {
+      passwordFile = config.sops.secrets."ldap/password".path;
+      webEnv = config.sops.secrets."ldap/env".path;
+    };
+    rspamd = {
+      trainerSecret = config.sops.secrets."rspamd-trainer".path;
+    };
+  };
+
  home-manager = {
    users."${username}" = {
      imports = [