From eb4634e71c7ac98e4fb5b5e8d386d35ea0b76525 Mon Sep 17 00:00:00 2001 From: catvayor Date: Fri, 21 Jun 2024 13:46:57 +0200 Subject: [PATCH] modo-test --- machines/kat-mail-test/default.nix | 33 +++++++++++++++- machines/kat-mail-test/modo.nix | 55 +++++++++++++++++++++++++++ machines/kat-r86s/configuration.nix | 58 ++++++++++++++++++++--------- machines/kat-watcher/default.nix | 25 ++++++++++--- npins/sources.json | 15 ++++++++ 5 files changed, 161 insertions(+), 25 deletions(-) create mode 100644 machines/kat-mail-test/modo.nix diff --git a/machines/kat-mail-test/default.nix b/machines/kat-mail-test/default.nix index eb70af0..ca676e9 100644 --- a/machines/kat-mail-test/default.nix +++ b/machines/kat-mail-test/default.nix @@ -2,13 +2,18 @@ config, lib, pkgs, + sources, ... }: - +let + host = "betamail.katvayor.net"; +in { imports = [ + "${sources.nixos-mailserver}" ./hardware-configuration.nix ./disks.nix + ./modo.nix ]; boot.loader.systemd-boot.enable = true; @@ -75,5 +80,31 @@ networking.firewall.enable = false; + security.acme = { + acceptTerms = true; + defaults.email = "root@katvayor.net"; + }; + services.nginx = { + enable = true; + virtualHosts."betamail.katvayor.net" = { + enableACME = true; + addSSL = true; + }; + }; + + mailserver = { + enable = true; + fqdn = host; + domains = [ host ]; + + loginAccounts = { + "user1@${host}" = { + hashedPassword = "$2b$05$FoCVDECXYG0KXPigPuIZtuNFiviwSg8RuXx0FbnzC7ZRp.Mz8VWOe"; + }; + }; + + certificateScheme = "acme"; + }; + system.stateVersion = "23.11"; } diff --git a/machines/kat-mail-test/modo.nix b/machines/kat-mail-test/modo.nix new file mode 100644 index 0000000..b1da670 --- /dev/null +++ b/machines/kat-mail-test/modo.nix @@ -0,0 +1,55 @@ +{ + config, + pkgs, + mods, + lib, + ... +}: +{ + users.users.moderators = { + shell = pkgs.zsh; + isNormalUser = true; + openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; + }; + home-manager.users.moderators = { + home.stateVersion = "23.11"; + imports = with mods.home; [ + neovim + zsh + ]; + }; + mailserver.loginAccounts."moderators@betamail.katvayor.net" = { + hashedPassword = ""; + sieveScript = '' + require "vnd.dovecot.pipe"; + pipe "procmail-modo"; + ''; + }; + services.dovecot2.sieve = { + extensions = [ "vnd.dovecot.pipe" ]; + pipeBins = [ + (lib.getExe ( + pkgs.writeShellApplication { + name = "procmail-modo"; + text = '' + exec /run/wrappers/bin/sudo ${lib.getExe' pkgs.procmail "procmail"} -d moderators + ''; + } + )) + ]; + }; + security.sudo.extraRules = [ + { + users = [ "virtualMail" ]; + commands = [ + { + command = "${lib.getExe' pkgs.procmail "procmail"}"; + options = [ + "SETENV" + "NOPASSWD" + ]; + } + ]; + } + ]; +} diff --git a/machines/kat-r86s/configuration.nix b/machines/kat-r86s/configuration.nix index 01443f8..7083617 100644 --- a/machines/kat-r86s/configuration.nix +++ b/machines/kat-r86s/configuration.nix @@ -128,26 +128,46 @@ }; }; in - { - enable = true; - virtualHosts = - builtins.mapAttrs (_: {vm, ...}: { - enableACME = true; - addSSL = true; - acmeFallbackHost = vm; - acmeFallbackRecommendedProxySettings = true; - locations."/" = { - recommendedProxySettings = true; - proxyPass = "https://${vm}/"; - }; - }) vhosts; - streamConfig = builtins.concatStringsSep "\n" (lib.mapAttrsToList (vhost: {vm, sshport}: '' + { + enable = true; + virtualHosts = builtins.mapAttrs ( + _: + { vm, ... }: + { + enableACME = true; + addSSL = true; + acmeFallbackHost = vm; + acmeFallbackRecommendedProxySettings = true; + locations."/" = { + recommendedProxySettings = true; + proxyPass = "https://${vm}/"; + }; + } + ) vhosts; + streamConfig = + builtins.concatStringsSep "\n" ( + lib.mapAttrsToList ( + vhost: + { vm, sshport }: + '' + server { + listen ${toString sshport}; + proxy_pass ${vm}:22; + } + '' + ) vhosts + ) + + '' server { - listen ${toString sshport}; - proxy_pass ${vm}:22; + listen 993; + proxy_pass 192.168.122.3:993; } - '') vhosts); - }; + server { + listen 465; + proxy_pass 192.168.122.3:465; + } + ''; + }; # Open ports in the firewall. networking.firewall = { @@ -156,6 +176,8 @@ 53 80 443 + 465 + 993 ]; allowedTCPPortRanges = [ { diff --git a/machines/kat-watcher/default.nix b/machines/kat-watcher/default.nix index 91afca6..4999ef0 100644 --- a/machines/kat-watcher/default.nix +++ b/machines/kat-watcher/default.nix @@ -79,14 +79,25 @@ proxyPass = "https://${kat-r86s}/"; }; }) vhosts; - streamConfig = builtins.concatStringsSep "\n" ( - lib.mapAttrsToList (vhost: sshport: '' + streamConfig = + builtins.concatStringsSep "\n" ( + lib.mapAttrsToList (vhost: sshport: '' + server { + listen ${toString sshport}; + proxy_pass ${kat-r86s}:${toString sshport}; + } + '') vhosts + ) + + '' server { - listen ${toString sshport}; - proxy_pass ${kat-r86s}:${toString sshport}; + listen 993; + proxy_pass ${kat-r86s}:993; } - '') vhosts - ); + server { + listen 465; + proxy_pass ${kat-r86s}:465; + } + ''; }; services.dbus.packages = with pkgs; [ dconf ]; @@ -117,6 +128,8 @@ 22 80 443 + 993 + 465 ]; allowedTCPPortRanges = [ { diff --git a/npins/sources.json b/npins/sources.json index a2033ec..373a936 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -65,6 +65,21 @@ "url": "https://github.com/nix-community/nixos-images/archive/42b13bbd6fce3bcf6272a6ed664a23b9417b82c2.tar.gz", "hash": "1ap3z694mjbfrwa2ddqlq1sqbwqy6xrq0r68blwr53cn7nx0rn4f" }, + "nixos-mailserver": { + "type": "GitRelease", + "repository": { + "type": "GitLab", + "repo_path": "simple-nixos-mailserver/nixos-mailserver", + "server": "https://gitlab.com/" + }, + "pre_releases": false, + "version_upper_bound": null, + "release_prefix": null, + "version": "v2.3.0", + "revision": "289f71efe2250e1155b0c74d188699397ba641d8", + "url": "https://gitlab.com/api/v4/projects/simple-nixos-mailserver%2Fnixos-mailserver/repository/archive.tar.gz?ref=v2.3.0", + "hash": "1flgj5hqzr76x2ff339kzbrfwilwy81wmml69nnwr2l5apmmly8j" + }, "nixpkgs": { "type": "Channel", "name": "nixpkgs-unstable",