diff --git a/nixos/queen/configuration.nix b/nixos/queen/configuration.nix index 30ad1e7..511dc8e 100644 --- a/nixos/queen/configuration.nix +++ b/nixos/queen/configuration.nix @@ -17,6 +17,7 @@ # ./nvim.nix ./hardware-configuration.nix ./nextcloud.nix + ./mail-server.nix ]; boot.tmp.cleanOnBoot = true; @@ -58,6 +59,8 @@ sops.secrets."nextclouddb".owner = config.users.users.nextcloud.name; sops.secrets."local.json".mode = "0440"; sops.secrets."local.json".owner = config.users.users.onlyoffice.name; + sops.secrets."mailpass".mode = "0440"; + sops.secrets."mailpass".owner = config.users.users."no-reply@nextcloud.gladtherescake.eu".name; nix = { gc = { diff --git a/nixos/queen/mail-server.nix b/nixos/queen/mail-server.nix new file mode 100644 index 0000000..3da6644 --- /dev/null +++ b/nixos/queen/mail-server.nix @@ -0,0 +1,35 @@ +{ + inputs, + outputs, + config, + pkgs, + ... +}: { + imports = [ + (builtins.fetchTarball { + # Pick a release version you are interested in and set its hash, e.g. + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.3.0/nixos-mailserver-v2.3.0.tar.gz"; + # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command: + # release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack + sha256 = "0lpz08qviccvpfws2nm83n7m2r8add2wvfg9bljx9yxx8107r919"; + }) + ]; + mailserver = { + enable = true; + fqdn = "mail.gladtherescake.eu"; + domains = ["nextcloud.gladtherescake.eu"]; + + loginAccounts = { + "no-reply@nextcloud.gladtherescake.eu" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + aliases = ["postmaster@nextcloud.gladtherescake.eu" "abuse@nextcloud.gladtherescake.eu" "security@nextcloud.gladtherescake.eu"]; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = "acme-nginx"; + }; + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@nextcloud.gladtherescake.eu"; + }; +} diff --git a/secrets/queen-Lillian.yaml b/secrets/queen-Lillian.yaml index cd1086e..7e81193 100644 --- a/secrets/queen-Lillian.yaml +++ b/secrets/queen-Lillian.yaml @@ -1,6 +1,7 @@ nextcloudadmin: ENC[AES256_GCM,data:LqgutUXs1msmFUNa+4JI1BEq0R8=,iv:sLP52reqsJfUNQnA9MbtbcZjGeluHDaO3dlHpWCLU4M=,tag:ChG/hZIMcmc0wt2AWOBNCA==,type:str] nextclouddb: ENC[AES256_GCM,data:EFwVtVD4KnEiZ5SM+1XW0U0mR/I2IXcRYXhQTgwv788=,iv:blHbNqI/Gq4tUQuqKWgrX9tYj6XKLRrWl1LFN+cn71M=,tag:H/7vobp5OwPbqsapvw7mUw==,type:str] local.json: ENC[AES256_GCM,data:EWMZTvnP9DmJKZq3mejvlSc8e2BZxcREn+XB1tAM5NLS0G2fdWJThkkgRz2owdAiZV2BLc/yqr4DqJzDIXiOxWWBGAbqRFH5kPw2mAdkAcW76F8tUNQSBtQXM+Gu3W3EwjQwNiwVlb1jB0BNWU4TJfZGfdk2Vt0R7ggTJhRIAwQiXC1VtMWmlAOyRIaiMzaY4ktEMJT/nxF8koZV79kiCFcAGHzoYynW16y2QkaxFca/4bTvBJCAMBuK0lLF9xeipyGZUgxPV/OAQkrQGAqHcrHL+FmQiFEIuLUBzTDQp57kV1EKKCevRUcPCX/NhQGgLYVgDrsLTb1ftB30yHjWUap+JttKXBk2HElnQVEdS37zADyQ8tYrD+2l2CLrBGctVpg6K61OP44=,iv:VbJgmvIN1/FjQJl58KBsDNTyUWtIAYbBB0iPe6I0+hE=,tag:if16JgRVPeC+m8vFeYhKtA==,type:str] +mailpass: ENC[AES256_GCM,data:UVrc1RUV0xJFPiZ8J4refglR0p35gUd21EvvTSoeXHVE9/xC0biKmjdPu8cBmimNPmKJMvZRf8wOz+/x,iv:zIYI9JY/bfUc3nNPNopKMbh09B6KUotMUAmNDzVUBN8=,tag:53N8WlQ5CDlrp/KIEQiHgQ==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +17,8 @@ sops: KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-23T19:03:04Z" - mac: ENC[AES256_GCM,data:SaC8fw76/O1C4ahiFmpDpF19X8jXUVAs+i86dDSkHLllRxUXsVujW4NUsX0aq2OOSAFZE5QVy/Aq7Os3MsEBNezd0YxCgVpzKOj/6YUUEoNDhZGvd2n1a3ULoqlWNBhmRd42MvEWVoTWPJHlv34fkoYD+NRD1jF3QLwANBGcVqA=,iv:x1AoAMdt6+M/+mLatWpLWBTPyaRS2/pYSj250DkZWdU=,tag:HHF/zb8VWIaj8Q9T4NFwAw==,type:str] + lastmodified: "2023-11-24T14:30:34Z" + mac: ENC[AES256_GCM,data:Tl4eqh2SUEcgfOynbLoclpJKhMHkkaeV3bvkYB4dc3tv9hEWuX5HR1iI67+HVImdLcJ1zTyWkNSl+89MOWkSB85Rb643uCa5myDFQ30PHWN2ubPVoY3XzucW0nzBllZZsH6lPakNXwHTLkcf1etnWzL+/sXnYff2S/WPqTAdkwU=,iv:aWlA7jfBGStCELf/6ij2aT7EAwRp/RQP5Sw4WMPqbtE=,tag:bvSiyFrqPP0uB71zQTH08Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1