chore: migrate nine host

2025-07-29 11:07:44 +00:00 · 2025-02-22 17:38:46 +03:00 · 2025-02-22 17:38:46 +03:00 · bf396257de
commit bf396257de
parent f67d2760f7
34 changed files with 400 additions and 177 deletions
--- a/modules/mail/default.nix
+++ b/modules/mail/default.nix
@ -0,0 +1,53 @@
+{ self, config, lib, ... }: let
+  inherit (lib) const enabled genAttrs head mkDefault;
+  inherit (config.networking) domain;
+
+  fqdn = "mail1.${domain}";
+in {
+  imports = [(self + /modules/acme)];
+
+  secrets.mailPassword.file = ./password.hash.age;
+
+  services.prometheus.exporters.postfix = enabled {
+    listenAddress = "[::]";
+  };
+
+  services.restic.backups = genAttrs config.resticHosts <| const {
+    paths = [ config.mailserver.dkimKeyDirectory config.mailserver.mailDirectory ];
+  };
+
+  mailserver = enabled {
+    fqdn = mkDefault fqdn;
+
+    domains           = mkDefault [ domain ];
+    certificateScheme = "acme";
+
+    # We use systemd-resolved instead of Knot Resolver.
+    localDnsResolver = false;
+
+    hierarchySeparator = "/";
+    useFsLayout        = true;
+
+    dkimKeyDirectory = "/var/lib/dkim";
+    mailDirectory    = "/var/lib/mail";
+    sieveDirectory   = "/var/lib/sieve";
+
+    vmailUserName  = "mail";
+    vmailGroupName = "mail";
+
+    # The mailserver at <turkiye.gov> malfunctions.
+    # dmarcReporting = enabled {
+    #   domain = head config.mailserver.domains;
+
+    #   organizationName = "Doofemshmirtz Evil Inc.";
+    # };
+
+    fullTextSearch = enabled;
+
+    loginAccounts."contact@${head config.mailserver.domains}" = {
+      aliases = [ "@${head config.mailserver.domains}" ];
+
+      hashedPasswordFile = config.secrets.mailPassword.path;
+    };
+  };
+}
--- a/modules/mail/password.hash.age
+++ b/modules/mail/password.hash.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw 3FKgAlI2mIHkl623ktW4WVByhP3yZr0SGnUlMegyHHc
+gbSjIj69rEKgieBaCt7AbmVKM4SzKHpeFh6VidOuJ1M
+-> ssh-ed25519 spFFQA OxjlQ9UqV/ff49cTNl2y/RrQyhRHw/bZ6A4tssSRHGw
+S2vXscTOiuIj8K0jSxactZlfC1xNeOLK1pNiOsSzcu0
+-> ssh-ed25519 dASlBQ 37/rUlIczHaI5Kd8UY5nGjh4Zainn6aRoXJf2wCIMnQ
+RQnektskdprpUMzPqBqRk3jsOokDev3COMFILjgEKV4
+-> ssh-ed25519 CzqbPQ T77BWh2cC1MtJFbBdl3MFXuQ1Htlc/kWcCtHhWV+9l8
+A+3zHRx14GklmeHzbtGGVgzLQLNGz5Z39Fx5Oc08sDo
+--- ojzWUX7nzpF8qmd7JqY3utHTTYlboKQu6+jRec61sRE
+â°ÞSôKkrÁê™&bH“5wÖµ0€Ãe;U×jmUÅ9•¤hRØ¾%16Ò|]£*Æs´þÌëwW§yœT_þ[Öug8€Q]nDØà¨vá<76> „°ˆÎ	øCÑ
--- a/modules/mail/password.plain.age
+++ b/modules/mail/password.plain.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw yK5fuqcnE1yO5tTAudZ/TXDvBf0sn4eCr39j/jZgil0
+hTr80COfDui7lhRnaDjNB2c2gtNOKQaiW4Yiz0am/A
+-> ssh-ed25519 spFFQA kDMyjjSxHOaLZ6ocr/q7MmRoqrXHdzHFzbZslaA0hlE
+jurwi1z6m+weYx5Wr3+E8+2fbYgwPFTKOPOuAYjt8wI
+-> ssh-ed25519 dASlBQ 5CYRg+Sw+jDk+S1EtLEG+PXf6EKJwx/Re9e/txOrs2A
+vUaTfOS9Fuce2x/qL5Pg3L0ZHZPBrhr63W4UT0n28uI
+-> ssh-ed25519 CzqbPQ 1uz6duuPfhpAjWjGdjwUGr7UHyqxG/zKn6rCVPgxSF8
+y5t/i2p08GqDOeaC27CJE528br/qU4i+iUEvMXDdX4w
+--- mGUus7T7rcsjt8LRCBc0vr5f3KFLSZweFYvaaNen+zg
+iOÐ2Ñ»GQ(o
ÿX3=>®:¨²É)mç½
+ÀÁ<EFBFBD>í"[ûQ»Q