Move mailserver to disk host and refactor config

Also fix a few mistakes like using the plain
password instead of a hashed one.

.gitignore

@@ -7,12 +7,12 @@
 !hosts/cube/
 !hosts/cube/forgejo/
 !hosts/cube/grafana/
-!hosts/cube/mail/
 !hosts/cube/matrix/
 !hosts/cube/nextcloud/
 !hosts/cube/restic/
 
 !hosts/disk/
+!hosts/disk/mail/
 
 !hosts/enka/
 

hosts/cube/forgejo/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }: with lib;
+{ self, config, lib, pkgs, ... }: with lib;
 
 let
   inherit (config.networking) domain;
@@ -8,7 +8,7 @@ let
   port = 8001;
 in systemConfiguration {
   secrets.forgejoMailPassword = {
-    file  = ../mail/password.plain.age;
+    file  = ../../disk/mail/password.plain.age;
     owner = "forgejo";
   };
   secrets.forgejoRunnerPassword = {
@@ -93,7 +93,7 @@ in systemConfiguration {
         ENABLED = true;
 
         PROTOCOL  = "smtps";
-        SMTP_ADDR = config.mailserver.fqdn;
+        SMTP_ADDR = self.disk.mailserver.fqdn;
         USER      = "git@${domain}";
       };
 

hosts/cube/grafana/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }: with lib;
+{ self, config, lib, ... }: with lib;
 
 let
   inherit (config.networking) domain;
@@ -12,7 +12,7 @@ in systemConfiguration {
     owner = "grafana";
   };
   secrets.grafanaMailPassword = {
-    file  = ../mail/password.plain.age;
+    file  = ../../disk/mail/password.plain.age;
     owner = "grafana";
   };
 
@@ -63,10 +63,10 @@ in systemConfiguration {
       password        = "$__file{${config.secrets.grafanaMailPassword.path}}";
       startTLS_policy = "MandatoryStartTLS";
 
-      ehlo_identity = "contact@${domain}";
+      ehlo_identity = "metrics@${domain}";
       from_address  = "metrics@${domain}";
       from_name     = "Metrics";
-      host          = "${config.mailserver.fqdn}:${toString config.services.postfix.relayPort}";
+      host          = "${self.disk.mailserver.fqdn}:${toString config.services.postfix.relayPort}";
     };
   };
 

hosts/cube/mail/password.hash.age

@@ -1,16 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 +rZ0Tw ROfnN1si3Rncdtcn/iahfVo5YuuLCETT0eQCpmwEmzU
-eyP2n9rwdYPInONLJRQmZLiKOHOlWyO4O75L0LqoXcU
--> ssh-rsa jPaU3Q
-Ts4Nj/k3hYVUC1lh0a5Z3YanVTS4OL81TVGnClhw2UCmkbOmvYWyuONCNb2On+om
-rp+b6jxjkyQIsRLw6Tt/elBdiBdVpTzbu3GoDlJZM/mmYJkyolYdH2bvNBIXnb6y
-G2W4oygVCs0NoLas2WoAppAn8lLHp02jTlCtkVaz/0xgtBf+5ns3ccYTiDF5vsV9
-JGN1CVyD0tguPNyL5D4TDu+QAWPqaMqDtmyF7CvfM+5T4khzgPEvjAQgbp6OpmXm
-z3dCVdeuwqg4SMCT8j2/lcwP9zSPQnoALj/WgvCzWHy+7ww+tN4XGw5068ViDKD9
-LHtwb5PTvoDfVvpq4TP6E0zPG7wuil5Ik/W4gfWVa5JR2II3qY/IVtIWAZWxsUvB
-1P4CXB8F6Ht2gTAPjCSYsgfjvSj8UiTp26igL+m53i/18C08Lxs+Xqc27on6y0hm
-7yAwCVK86f8kCRiQyJlKNEaiaPV/QFjE4M/547WL2TZqYvzOHT5790eNegxwOjpK
-
---- TNDzf7KIjijlWDI/0qkdyPZNhMEhoheWEC6br9IHn8Q
-‘z鎀æ,ÝØlr}|¨$‡°<¬N<13>²0iÈŪÆÐö
-~@½ÔÌÑï_ën*¸A„OÌ-Ñ!¯&m‘igZø
ÝÌDâê-Ù¶çàƒx6JÒV‡‚x¯½3Žâ÷åè

hosts/cube/mail/password.plain.age

@@ -1,15 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 +rZ0Tw VFixlr9X2FwNhyDsGAi6gjgLA9C4GCxwjNddtnaJDj4
-fVSYpYbhsBjaCAsvy5S/I/PEwLdqoLPvWDzmORtw4Js
--> ssh-rsa jPaU3Q
-tWcrrFr6FfhtM6PrcvuDs08r6IOPTISsnkHk+Aa8Ud5lY1QJU5j8CENFyYPHMxfY
-Br595dZzt69PAUAzrxFZZ3tlup+ckm15lBjCSg5UHbQ1b7vwknHIS3jAFsBBkDE6
-WIp214CWz4dCeC/xb45bTr/hwUNXjWi1MrwfHwMScDf64hnYBwth7Un/guSgTO6O
-aI97NR4X7J3EK9pnjezlaTQ6NroUfid9PS5cs7dQZfLrOKIkxtVW+cU20F7gRo3o
-zwvK0hdby4hgUEF6k7ifUCRdO4S0xShTri/Yyv6nVoCFqMq/Iw6XEdR+ZNjYnU05
-G4S716jQC/xVsXwCJpQBkgKyEoZij9CjrWaSOPFBItMM0WgGGmSVZEcpVQL3hLJq
-M0zdH4k5m1AKekhDityeOrOP9SjD678/AfIvsRwQz7zJtzLZ3ZsSMJPJAQPw24wb
-HLBsmQ6u1igkv80r/YA3e0xsc3kFHgyo2WHEEYo69l0M+V8O0DPVr6ZXOiXFrwiw
-
---- cG5tzw9uAYr55dQIw55M/vVWIAxNZlkBffvETqtpWhQ
-¥ Í/Ízª£kW¯ZËmÌ,ˆB¦`fUœ§þ§qh5n„êÿ<C3AA>‰–‘"#_

hosts/cube/nextcloud/default.nix

@@ -80,7 +80,7 @@ in systemConfiguration {
     settings = {
       default_phone_region = "TR";
 
-      mail_smtphost     = "::1";
+      mail_smtphost     = "::1"; # FIXME: Will need to use SMTP.
       mail_smtpmode     = "sendmail";
       mail_from_address = "cloud";
     };

hosts/cube/nextcloud/password.age

@@ -1,15 +1,15 @@
 age-encryption.org/v1
--> ssh-ed25519 +rZ0Tw hg/Np9ZC+ruS4fs2mFBtVpLDQetEDDU5UUgq6ff0ZSw
+-> ssh-ed25519 +rZ0Tw IQWFzBlRcGmKOt1qjmYwNlFNIkQO0LmE8nTd3y/rB2g
-5OwfED/OfF2gaWygU5mwUmo4g5TamTn5tKuDi/Slnuc
+VGYkMPzYIPdG863zw+GJjmZrSkGqxR3e6E6QZ6lsHNg
 -> ssh-rsa jPaU3Q
-wSoz/n/fhqZcQNFOqvaXRQtfPpsMMunKK616xBa1WA5zS6OWYltX7x2SEaq/T9N5
+TbPLHJ83xlBl/m4BrFxoZwhisMJyjKVFt2xn0h9tNdipUj+Tp6rd7fxt1f1qAjAS
-rRCg8EqJZsAlLKt5vyMQKIYzpJ6+m17sIyRoe6qTNP1Oj/+63U1uBGjdN1zgg/8h
+49s8VuaugA5oa/nTy53+BcgWCHIBaqrb9T3SeTvIk47VqoPSNoJG8WlRTJjoLSaQ
-IbU99rIq36AjJWNeJQu0JwhJP/CxmIVcdgY4zAtvKBnRbsK5joigOUISuJ1PJYto
+wSVymFmRA//RAaYSF2T+Tbzm/xCUFvsL3RbdXSlc1NQo1g94UQ3lCuMm6S/rWv2A
-oYMIS3XL48PDI5bD6BxW/L1t+1Z6hCiWH/iL4mogoF8/GGfB6UAXCtmGENBgCC0x
+COtFbUC4RO/RpoxfG429UTEUpM+fx4sbpR+Q6sBLlwW5YSCvTj6L24nQU91otzQX
-htIA5PThL7Z+imJeP+OhczwCkezteuFVjalOllboRlhLV7K1hUVSPPIhQD/JFDNa
+wsahkfll21f+EV1FHJ0G9vKPMzeXVC40KH8YF0Pw7+954DMYV3npg1l6tA9JCaBi
-ed/eg4BtThkbDkXfvkJDk5/oaQKi43KIQq/TNAlAmQrCuerddGT+MOzIcwICp65r
+PaGzKC+pmre9cMvMOcDVJIn8kGTb0Cpxfgm/9Jtygabd8QVSYEaFifyqVEiHJcG2
-pA9WvtldfzhGP6A8VOR2hiHAXtrmLI0gMl6Yq7TTS5lXCBvKGvyKNWOUPasZKdLF
+RfzCuF+rkDBaNYJTQwFqEp0JNsQR9GJXrQLJfR10zei20KWa9jWYR23IcYDWwzBE
-RgUH33HB/o+fNEuB3UcVrJ+IeVT50lDbK2hlV5UrufslKJWKpBvGA9bIGA0T3Fti
+Hc8y0OHDzskGsXgm27dWPaK5rEKegGQZYaxUtfeQSlDWTcHrQjee5vneUA+njwBx
 
---- in+sCqQ+aJ7k5BKPmOGtMUyvTuIdpc2+DPCCPlBVbsE
+--- 2luD3ArnWE3DVaEjrzed2gxH74MJL2Hn+0OY0euyAZ8
-»:ñ<i.”ùPeã„eÑÑ<C391>_÷»ª+¾hyíxM«±PÉ—àvKf;‹Á¨ 
+<EFBFBD>捶ﾇOｷrｦWÅkｹ<EFBFBD>､ﾑ㌍鼬<EFBFBD>c-&ｭ0､ﾍ倣ﾋ&ｴ9蓜#ｮ

hosts/disk/mail/default.nix

@@ -7,7 +7,7 @@ let
 
   prometheusPort = 9040;
 in systemConfiguration {
-  secrets.mailPassword.file = ./password.plain.age;
+  secrets.mailPassword.file = ./password.hash.age;
 
   services.prometheus = {
     exporters.postfix = enabled {
@@ -27,12 +27,6 @@ in systemConfiguration {
     }];
   };
 
-  services.dovecot2.sieve = {
-    extensions       = [ "fileinto" ];
-    globalExtensions = [ "+vnd.dovecot.pipe" "+vnd.dovecot.environment" ];
-    plugins          = [ "sieve_imapsieve" "sieve_extprograms" ];
-  };
-
   mailserver = enabled {
     inherit fqdn;
 

hosts/disk/password.floppy.age

@@ -1,15 +1,15 @@
 age-encryption.org/v1
--> ssh-ed25519 spFFQA H+q9QwbbRhlHhb6kUW/TH7G3dPsmbkHa0BUDHDKuXQY
+-> ssh-ed25519 spFFQA IzcagogBUz24J5ooZtYMHq+F0dpL8zAmjFNwaFzVtDE
-JEoXwrxEVBhVU1euXi2eUtJWVdbx29WVhyVSjCKCYJw
+JtifcKwLlC9FQF/KmFcGEfymowmgWtMbt2JudfJcvZg
 -> ssh-rsa jPaU3Q
-JN5Q6jUOU4CScuJ3TdDk+RCaD8P21UDk4Se6/88eFB8RCuxl5tGpkdhScuwkIfX2
+czboYSAr86q0XBgdh5QlPZgsA0HP8Dgh7MUldHabEl5FAPTLv0qW/EqQZO4hPRSU
-C3x6VIc+tRBSxWA67jm0r+VTpDC6RasYK9fvKk79UEZqax5owvHzzxBlC6gcvbco
+tS4cfduzlD/B/EcIlAhjzRldX7Lev01WXdId3i3nu56C0obGWIcfMibVUtBgXF/G
-RngT1Rs/5Xx7SP5jSYgPc+kkgK3FSp9M1z9YJBHHB1+D+oxaXK50eS28Vt3JlZFn
+hMzBdDC/2c+W5coITWQBLw0+neXiek65GDP6VMrNBH01OqzmSmwmmXm0v+dpzxzY
-rbmWHYlk9p2hwgmpLcTxzop+tjGYehjE0H4Bod5bZIosE8aIilYKB3ns4aacBEcf
+94ZlQ7SGPp261ATI/+ACTGip9rYTf7FwQLWDXUQe58/ZB8bKYyVW6qf0C57x9YKN
-O1QfbLzYMCpnD6OYhfNYZsuTcKaf8RbDWIxmnXH+P9M6pS58qrea41A9bfFHQXtR
+d3STjEiFijOMNFT7+N2PGyaidnP2ssPVZaUIbp3/6n3rA6nkeWBXnmdQi7Rsy0HZ
-yFztfMheybQXXlSB6LGwcbIdZIMWf/SmNjdTiteehQEXDJNnxCQ8fSSjAKvN1btL
+xryypN9Bm4dtCVdZ6BVxOBSWLHT2BOZzBM9rbuV9Pmd7F+Jc2RatYVMxOjDHNOD6
-DYZWpgxHDXl/2q07MtSJ8aRoZC66Gw3h49oBHg0Gdk+HRNcE1JB0Du0uUnTj+gkD
+q6jMclAXDVkkVJo+R+Vvpe2r1GbL36KRyWuvF63kkM09H6zvjhQfYBSstQLnVaLg
-G1l4Sb60u6wQ73vCzdovwKnPkU80DpndZoJZtZ3EXyuARoPBN2HyeMv1fz/h06Dc
+Fgwv4zA5ZaD797zz2o/r09NWre+o8gEFwsI4hhAuepmyhg1hXUX+IezlU741skaV
 
---- y6FU1rTLKAKWOaZrB9jb5j3AoJbDU1SPfcYJkS7abSk
+--- MIMZQBdkxeA1JLidxa8AW/FvT9qaXukAykTLSTcbdY4
-ˆä_ÀÙ™  Xa±n’“·Ç3÷«„~s<>Ù³!.ÙXQmØØFŠÀa1ýÏP‹àÅV‰SŸg}O¯È9Ùã:?<3F>öë°þ\ (T"ÜƬöÇ(`îOÑ*•<>OȒĹfîþ#!J óž
+3Ę‚•Č÷+’<>–¦ĎĺžÁŕČ<>.˛˘§5ŠM)¬
šr_dŞ.ŕ"î z@ĘפwM?¤fSĺwËĄ%PÖ"¨ŁĎ53
Ĺp—ůĆç¤}m]g0RtĘä¤ô»!şe^¤OŮáüEĚŞQe	“Ů

hosts/enka/password.orhan.age

@@ -1,14 +1,14 @@
 age-encryption.org/v1
 -> ssh-rsa jPaU3Q
-W5uxZYQpAVzMAWNz1cjSJ1HfcJc9GDcG9lE417tpaVbsvSZsetr9oMyH9l2Gzbjl
+qPvt5V1GiPtd2oqnec1A8ZUVHiz0EL/5NerqjZRuZwpzPkjvt7nnf7S45gtffUzQ
-0a/T+hzQ6hrs0l2/L1k20JWAcTCPQtl6vBQdQRisuPQ2g4EnVRq8m8NYkGKVKaWa
+YtYP9HoyG3eDcnu2+FqCWTeyTb58ZDGSWFk8gsI2/rjZQFQMjzalHvgP0Gd09RjR
-YCDChJaxNPtgyYo0QjhMAz5bpy/b8U4KbGkCV4xYsVsYrJJfsW/bdOdxraCoNr10
+mrIVLvO2Ybrpkotf27P7H1sBR4pwpZirJIvoEMY2+rMDzeG0IUJxv1ATjMP2YhrJ
-8xLd/BQQJIDpZ1dAShf+fyTP5u6mTm7cNhIHpTd+egVcg/TZX+SfHxhlfxLSYWfc
+il7xr4Z15g99Ty21iVaBEuxu+3BXHI3W3tZIAmXvLUnJFgZq3Oh2yx1qOkhT5kiq
-yet7XBN4SZW1pXrVRfAgg7wLdLJ8+wH2wwaB0rOXi0/Kb3+YF4Kf3dr9H6DBmIG/
+AcQfwqXWEOgQRapt97VK4jxP4wq18aNXTDTQCmJiXq76NILrxpo78ZW7Jmr7vJbf
-EMD/cmhIHlbP8bDOm2tivLzKOqCG18esoiR4QpI0AkWUt+K4wWTYt7kllEM+l41w
+uMl+n7nu7ny33G3tALL+6AkxwrT2ObMXusQIjjb7hZUjtXOIRTEjmPH7NurXv9NC
-A6BrB2aqeGddSh6+a8Z3OXjTMnn2nbMpWjKJxoHwJMYtPqilEZ36kmEvOfvGeRsl
++1dfCKM/BCL2ty4upfaL1bGoLCiU7mH2xTMjco09a4QYMUkCog9FCD0yK6tXVUIF
-j4gZvCbJ/NqNkDjTpZIJ5V2jtQO7nuNimkQSc5F4F7qv++JRU5anAbWNR0cVhAlX
+rTzC0pFlWlOQH4lAbiEX7jwLZt2uCZPMwb6kuCLe1DwivnirtZlTrcXIEO6NEC6Q
 
---- QMfPpiqyrBg+aX5FyuW7XPe5G+USHk71BB1gqvrvnxg
+--- wl+y9YZobP083MhKCTWH9ZdS4zmOQ86hQgSnlm59eV0
-椬e_Τ‘öÁñB_<10>)40”©R½.{>¼‚n½<ͶŽŠe¼®ÜÍײa”y‹
+ØèŽrðö½k¥œ%8´í]úDi
Nÿ,}©àÉŸ
-%€tͶƽr$ÖOg5Ë|ÎJ¨!s(á”cÆ1ù€ä¿Å‘üå¦Xßý…
+E<EFBFBD>Íu<EFBFBD>Ù?C„V2,6ññŽTç½jÇàíŸNH&â£ÅÐïƒo–Ll°5UDE°PÝ€å•/W…•ƒ

secrets.nix

@@ -7,9 +7,6 @@ in with keys; {
   "hosts/cube/id.age".publicKeys           = [ cube enka ];
   "hosts/cube/password.rgb.age".publicKeys = [ cube enka ];
 
-  "hosts/cube/mail/password.plain.age".publicKeys = [ cube enka ];
-  "hosts/cube/mail/password.hash.age".publicKeys  = [ cube enka ];
-
   "hosts/cube/forgejo/password.runner.age".publicKeys = [ cube enka ];
 
   "hosts/cube/grafana/password.age".publicKeys      = [ cube enka ];
@@ -25,6 +22,9 @@ in with keys; {
   "hosts/disk/id.age".publicKeys              = [ disk enka ];
   "hosts/disk/password.floppy.age".publicKeys = [ disk enka ];
 
+  "hosts/disk/mail/password.plain.age".publicKeys = [ cube disk enka ]; # TODO: Move to shared.
+  "hosts/disk/mail/password.hash.age".publicKeys  = [ disk enka ];
+
   ### enka
   "hosts/enka/password.orhan.age".publicKeys = [ enka ];
   "hosts/enka/password.said.age".publicKeys  = [ enka ];