diff --git a/applications/email.nix b/applications/email.nix new file mode 100644 index 0000000..b660c02 --- /dev/null +++ b/applications/email.nix @@ -0,0 +1,169 @@ +{ config, pkgs, lib, ...}: with lib; + let + cfg = config.services.skynet_email; + in { + + imports = [ + ./dns.nix + ]; + + /* + backups = [ + "/var/vmail" + "/var/dkim" + ]; + */ + + options.services.skynet_email = { + # options that need to be passed in to make this work + + enable = mkEnableOption "Skynet Email"; + + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + + domain = mkOption { + type = types.str; + default = "ulcompsoc.ie"; + description = lib.mdDoc "domaino"; + }; + + sub = mkOption { + type = types.str; + default = "mail"; + description = lib.mdDoc "mailserver subdomain"; + }; + + ldap = { + hosts = mkOption { + type = types.listOf types.str; + default = [ + "ldaps://sso.skynet.ie" + ]; + description = lib.mdDoc "ldap domains"; + }; + + base = mkOption { + type = types.str; + default = "dc=skynet,dc=ie"; + description = lib.mdDoc "where to find users"; + }; + + searchBase = mkOption { + type = types.str; + default = "ou=users,${cfg.ldap.base}"; + description = lib.mdDoc "where to find users"; + }; + + bind_dn = mkOption { + type = types.str; + default = "cn=admin,${cfg.ldap.base}"; + description = lib.mdDoc "where to find users"; + }; + + }; + + }; + + config = mkIf cfg.enable { + + age.secrets.ldap_pw.file = ../secrets/ldap/pw.age; + + # set up dns record for it + skynet_dns.records.external = [ + # basic one + "mail A ${cfg.host.ip}" + + "${cfg.domain} MX 10 ${cfg.sub}.${cfg.domain}" + + # reverse pointer + "${builtins.substring 9 3 cfg.host.ip}.99.1.193.in-addr.arpa IN PTR ${cfg.sub}.${cfg.domain}" + + # SPF record + "${cfg.domain} TXT v=spf1 a:${cfg.sub}.${cfg.domain} -all" + + # DKIM + #"mail._domainkey 10800 TXT v=DKIM1; p=" + + # DMARC + "_dmarc TXT v=DMARC1; p=none" + ]; + + mailserver = { + enable = true; + fqdn = "${cfg.sub}.${cfg.domain}"; + domains = [ + cfg.domain + ]; + + #hierarchySeparator = "/"; + + # 100MB max size + messageSizeLimit = 100000000; + + #localDnsResolver = false; + + ldap = { + enable = true; + uris = cfg.ldap.hosts; + bind = { + dn = cfg.ldap.bind_dn; + passwordFile = config.age.secrets.ldap_pw.path; + }; + searchBase = cfg.ldap.searchBase; + searchScope = "sub"; + + + dovecot = { + #userAttrs = "uidNumber=uid,gidNumber=gid,skMail=mail"; + # use the set email account + #userFilter = "(&(memberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))(uid=%n))"; + #userFilter = "(&(objectClass=posixAccount)(uid=%u))"; + userFilter = "(uid=%n)"; + + # "fix" until userAttrs is fixed + passAttrs = ''uid=user,userPassword=password + user_attrs = uidNumber=uid,gidNumber=gid + ''; + passFilter = "(uid=%n)"; + }; + + postfix = { + filter = "skMail=%s"; + + # these may be reversed??? + # https://gist.github.com/calbrecht/bca39174f39a74e52a6d05bf630ad495 + uidAttribute = "skMail"; + mailAttribute = "uid"; + }; + + + }; + + + # feckin spammers + rejectRecipients = [ + + ]; + + }; + + # tune the spam filter + /* + services.rspamd.extraConfig = '' + actions { + reject = null; # Disable rejects, default is 15 + add_header = 7; # Add header when reaching this score + greylist = 4; # Apply greylisting when reaching this score + } + ''; + */ + }; +} diff --git a/flake.lock b/flake.lock index f0528a9..49dcf65 100644 --- a/flake.lock +++ b/flake.lock @@ -38,6 +38,38 @@ "type": "github" } }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -106,6 +138,21 @@ "type": "github" } }, + "nixpkgs-22_11": { + "locked": { + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1673450908, @@ -137,12 +184,66 @@ "type": "indirect" } }, + "nixpkgs_4": { + "locked": { + "lastModified": 1670751203, + "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "root": { "inputs": { "agenix": "agenix", "arion": "arion", "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_3", + "simple-nixos-mailserver": "simple-nixos-mailserver" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_4", + "nixpkgs-22_11": "nixpkgs-22_11", + "utils": "utils" + }, + "locked": { + "lastModified": 1684569145, + "narHash": "sha256-Dr8KAgjiGuigTgEp7zFO08zPA5o0RxzoPad+oDtg/G0=", + "owner": "mweinelt", + "repo": "nixos-mailserver", + "rev": "5d13cf0550bd5b201b28f116acc5f4b19dd5d753", + "type": "gitlab" + }, + "original": { + "owner": "mweinelt", + "ref": "ldap-support", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index d07df68..6fd9804 100644 --- a/flake.nix +++ b/flake.nix @@ -11,9 +11,11 @@ agenix.url = "github:ryantm/agenix"; arion.url = "github:hercules-ci/arion"; + # email + simple-nixos-mailserver.url = "gitlab:mweinelt/nixos-mailserver/ldap-support"; }; - outputs = { self, nixpkgs, agenix, arion, ... }: { + outputs = { self, nixpkgs, agenix, arion, simple-nixos-mailserver, ... }: { # https://github.com/zhaofengli/colmena # colmena apply --on agentjones # colmena apply --on @dns @@ -55,6 +57,9 @@ # Gitlab glados = import ./machines/glados.nix; + # email + gir.imports = [ ./machines/gir.nix simple-nixos-mailserver.nixosModule]; + }; }; diff --git a/machines/gir.nix b/machines/gir.nix new file mode 100644 index 0000000..2594441 --- /dev/null +++ b/machines/gir.nix @@ -0,0 +1,57 @@ +/* + + Name: https://zim.fandom.com/wiki/GIR + Why: Gir used to have this role before, servers never die + Type: VM + Hardware: - + From: 2023 + Role: Email Server + Notes: + +*/ + +{ pkgs, lib, nodes, ... }: +let + # name of the server, sets teh hostname and record for it + name = "gir"; + ip_pub = "193.1.99.76"; + ip_priv = "172.20.20.5"; + hostname = "${name}.skynet.ie"; + #hostname = ip_pub; + +in { + imports = [ + ../applications/email.nix + ]; + + deployment = { + targetHost = hostname; + targetPort = 22; + targetUser = "root"; + + tags = [ "active" ]; + }; + + # add this server to dns + skynet_dns.records = { + external = [ + "${name} A ${ip_pub}" + ]; + reverse = [ + "${builtins.substring 9 3 ip_pub} IN PTR ${name}" + ]; + }; + + # we use this to pass in teh relevent infomation to the + services.skynet_email = { + enable = true; + + host = { + # pass in teh ip (used for firewall) + ip = ip_pub; + + # the name is used for dns + name = name; + }; + }; +} diff --git a/machines/vendetta.nix b/machines/vendetta.nix index 7de619a..fd73889 100644 --- a/machines/vendetta.nix +++ b/machines/vendetta.nix @@ -61,9 +61,6 @@ in { external = [ "${name} A ${ip_pub}" "${ns} A ${ip_pub}" - - # needs this, temporally - "mail A ${ip_pub}" ]; cname = [ #"misc CNAME vendetta" diff --git a/secrets/dns_certs.secret.age b/secrets/dns_certs.secret.age index f4b8701..c774a45 100644 Binary files a/secrets/dns_certs.secret.age and b/secrets/dns_certs.secret.age differ diff --git a/secrets/dns_dnskeys.conf.age b/secrets/dns_dnskeys.conf.age index 93529ab..ba93d21 100644 Binary files a/secrets/dns_dnskeys.conf.age and b/secrets/dns_dnskeys.conf.age differ diff --git a/secrets/gitlab/db_pw.age b/secrets/gitlab/db_pw.age index 5482c77..25fcb03 100644 --- a/secrets/gitlab/db_pw.age +++ b/secrets/gitlab/db_pw.age @@ -1,14 +1,15 @@ age-encryption.org/v1 --> ssh-ed25519 V1pwNA IOb6wPqymDlfE5GaRfa3GTL27wqgcekApo/qCoPSXz4 -rJx72HZRS55Zg99/DDRu7ESUOwyvTyfqc7QPk5EyVoE --> ssh-ed25519 rIwlvw pe+EmEcqFCveKudkObc16bj3NqauA3M8vjzTd0FoxFI -pqzzusOOZ84kPKB+CVOwKJpQUF2hwkzI7YcTxWESw/0 --> ssh-ed25519 q8eJgg BS44mKwwzaDCmh9Uce9OBij0ZL/AqynMO45eEjd4QBM -3wpAfqahoT2ookuR92TKFjgwCM+6hmWmrikjZaTY5/Y --> ssh-ed25519 uZzB3g Zz/cbglOs3Il55yt4OIIyVULiaSZdsp3CZ10cSvJ5yk -0KrYOL6VxpzemHFjyMDFkcAveVX3ADXDN928DCus7sw --> NN-grease sCx=PO( 6!N8`ix -zky9jZ8A ---- k917T+C0/4+P8CqCqY6aTg+ITePJ/n3LZxiF1ZmGIoI -z>@rD*ӵJŭ=xjN^$$* /`ps]DCܘ}<;:t "MA!\5e% -7B:{өz ;B:_AƳg$ Ћv-'ŀҭRBbq<|/ \ No newline at end of file +-> ssh-ed25519 V1pwNA EbcKNppMc8Hq9CzalGP8tvYMl9qLyKQiiNILhw1l4zA +KSeA3rVxWG2ID+k3AE9lBrGjEqRFLohhXzQBxxaAcoc +-> ssh-ed25519 rIwlvw dAEdSuZAdPKzGGm2v9fcZCMnRlqzQDoGXOtyuyuuezo +VcvtlisTT4HAih5rvUwDf1nTO6WHCzu7IYmkc5MTxvA +-> ssh-ed25519 q8eJgg vYulFK34+SJmclt6MzOQ90dsl55Hm6jinU7ZQGOzT0Q +BUnfjyd+RVUvgtO5oV6OtBzDFvVeRy4VG/9IJ5tLp0A +-> ssh-ed25519 uZzB3g KqwwJMZpsdu6dMeiJFD0ElSnzXKtD5Y5e3KsharU8nU +zx8ILlqatXmVCbz91HK+gipiCA+UY6gITB1hYGluzJY +-> vcbD%9-grease } b->U-FWa P- +kNm0DVuSdtvR0wFNkOpMig +--- dLxnlUZ24wxKq733+FBkyCh5PLRHjxv+oza/07SIC6w +nD~pA}=IJDߕۡ29H y,EC;| 4xT 86 ssh-ed25519 V1pwNA zDNOQBle5xm4szgmn2Dc9wATIJ62WvqFvZ0FdPu15gc -wZZWDJPQlBxd1zapcnEsBeY/WscawxPFfriJpYSrsBA --> ssh-ed25519 rIwlvw XTu6bV4GUK55mfVQzZGBZWx7MFfmwS02phXKgN3OKQw -MWMCcA6tfM0qwgMypwaZ2dAnXRe/3n8FY9AGhEXZJAQ --> ssh-ed25519 q8eJgg FcTKuXjwll6kEqXZFUUHcHKqq4VzDxuXNSq93OoRxnY -hR3hvGsTZrjNmowqLIWtftW5XqzLxns4QL+kop/UFDc --> ssh-ed25519 uZzB3g MTh3/nKjbNyMkmq5zZ4GS4fakylSgfAsEzwkX+jHeXA -TUIwfWxXCUUrKnKhK6KjzjGXfVcV260BFRPXr/fiVB4 --> Q34)S:o=-grease -/04lX+TiKjQn7mf/TcrjNlkIO1CdWZ/tNI+BpOmjUA2DvdagkV89nq8OHRykjX9O -me5XZHZdcIP7WFpPXWQZDnkl ---- GApKhoyIlXNDiNORp6Lu0qaSvxHQw00Mz8l9ca2YHoA -IW:g贋'"<1Q)en5gr"D0׺;q*o@K9&g;9ʀo(X NHԫKԶ@HAbZztg !A$.r'ɭz6ݱCMU(P>w] -A V( \ No newline at end of file +-> ssh-ed25519 V1pwNA jPL12+E4d4aPmxgrzGHkFqccSHIRBcB29O+5cwIbVWE +ij9TOU52WvYACeZpKnxYysp5tLgtSe1hhxSU6JdFxss +-> ssh-ed25519 rIwlvw meBrACSZjoiuEtF40Yi5767u1EEKPPevOmBAyS9Z9mo +dwI1Kdpyg101rgAYw0LG4OxvcX2qb4uLYv9/vtqVLiQ +-> ssh-ed25519 q8eJgg vV2lfHL6HVEo6q7hvht8aJNDyPjL+ZSiw1Q16zGFYTk +Z+u2a3CbIQIhU9Syy4iSnOyi/QpygL5lrV3ABGUlXxs +-> ssh-ed25519 uZzB3g 1sGZCRGyBXwN027g2tj+fTk1n+bytxQ7ecXFYD5OugU +Lbmx3Rgh3PcgEDDbQpByHpYbWoa/iSnpBOHycDxviCo +-> jb2y@E-grease BY k0nF v\N &~-`QA +QXL29erKeT1jWkmcSmBz2IahR0op0MvneWIGcqdA2/kv0OVHuIAGMDgnxcqsxijB +CAxFxgKtVHRisrKx5EgZ2o5VJfjFYCspEDZEf1bzH33EiNvSz7ennulAxA +--- qNvRPXLiwBSUuVegfVLgoALYgF3vkGxOxdOurWQzoG4 +.>Y{Ok23F F8zaic;_Y6`s,Y[dL: =Hm3s'̭T[,5)'m՟|dϔvJ&ɨ*$n=!X8p%>[O$ \ No newline at end of file diff --git a/secrets/gitlab/secrets_jws.age b/secrets/gitlab/secrets_jws.age index d0958b5..148c60d 100644 Binary files a/secrets/gitlab/secrets_jws.age and b/secrets/gitlab/secrets_jws.age differ diff --git a/secrets/gitlab/secrets_otp.age b/secrets/gitlab/secrets_otp.age index 34d40fd..4a7662b 100644 --- a/secrets/gitlab/secrets_otp.age +++ b/secrets/gitlab/secrets_otp.age @@ -1,14 +1,14 @@ age-encryption.org/v1 --> ssh-ed25519 V1pwNA kZwcudEAwSOd+jJ22NnvNlt+fNElnJufPhxIiNLLm3c -DhhvCQbQE+7CDSDFnmpC4BztM6yWGEhGnS8foyVtv8A --> ssh-ed25519 rIwlvw q1gCRBLEzBM6sMvpNiKn/DCBlh7jGayVtIq2ifFutX8 -uXilx2tRp/l0iuHLRqGFD7JzOsvNhC3YWCFYbDSnCAE --> ssh-ed25519 q8eJgg myE1PBgDBdSV3YoRY5WLU1FCN6SomE4OUIT7RTT/jks -20LCHmVHbTf+Avvtc02IVtQzppnmYmUXx1q/h2bNC1o --> ssh-ed25519 uZzB3g AgY9YaVBna+M11ENambBCo7WC2NVBv6i34xNrl8sPw0 -4yzCr64HqVDdMTYSraUDOFhtOdpf0/ULvS1278IIXZo --> b$y90E6m-grease jp O jm8Y>| n(/.tZ -+SC2qx0vhLmdBol0asd5W8NRY+b42SBVHgYyEh/wWmFitA ---- 3CziwJgcWnyHyWTyrK6ru9Pd2Tmk/Acn+/mSsdl1FKE -Wi}XgM'2Oqfpǎ~u#V .HMց -V19Im7}XAyU<УfU1ݘB$>yEHMwQp >x]psu!c۽l>y̜٢Vi \ No newline at end of file +-> ssh-ed25519 V1pwNA yv25GV2kuwXTU/hxE34ybWt5a8EqJ/VlQ44q90FiFhw +O5Y236IJujwbJKRceCmqWzmeMT51Lg2GOoxVybV2kos +-> ssh-ed25519 rIwlvw Ivvet9xAdzT3cONFxCmB2KoU7R672hlFVS6PN9H8YkQ +3NtQR7IpeSkD+aKoOH4jUeSDRu3+xpR91WHQnu0XmJE +-> ssh-ed25519 q8eJgg vXlcQKk/QsGht4oPTbpOI3SIA5qq6htalZaC4brpNFI +FQzb/TcZOqtK0w7AxYeB/hNNQ0UwKn8YadyjoHmXiY0 +-> ssh-ed25519 uZzB3g IWEkV5hOPb6iBpgNByNQfQkMoUITXZkHVLKkI/qA3AQ +UJoXL/i656DfRNzQyPKKpzLgXGWw5mPhvQrR8IyeDWI +-> p3}N/u>-grease gui +4R5c1q04NPXKYCuHBmLXYdUW2z5/fCLaTp8AV02MpZ1W458NBqDG9gsXOBcg1o1i +eA +--- 0iTQml3iIebXgWCeK6gBu7MjW2iVa1AmUherR1lRqa0 +CQnӎ U!FVUbK,Hi U)s)5˟lVR&21e`x(U5b/n/V gN) OE:\Q~5 ﮠ)vF&mE{LXF?柩KQXۺ \ No newline at end of file diff --git a/secrets/gitlab/secrets_secret.age b/secrets/gitlab/secrets_secret.age index abdb049..b98fad0 100644 Binary files a/secrets/gitlab/secrets_secret.age and b/secrets/gitlab/secrets_secret.age differ diff --git a/secrets/ldap/pw.age b/secrets/ldap/pw.age index ef878c0..eabbe48 100644 Binary files a/secrets/ldap/pw.age and b/secrets/ldap/pw.age differ diff --git a/secrets/ldap/self_service.age b/secrets/ldap/self_service.age index 95603f0..4cfef0d 100644 Binary files a/secrets/ldap/self_service.age and b/secrets/ldap/self_service.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f4a7f6c..42578df 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -27,6 +27,8 @@ let kitt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPble6JA2O/Wwv0Fztl/kiV0qj+QMjS+jTTj1Sz8k9xK root@kitt"; + gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir"; + systems = [ agentjones ash @@ -39,9 +41,15 @@ let vigil ]; + email = [ + gir + ]; + ldap = [ kitt - ]; + ] + ++ gitlab + ++ email; gitlab = [ glados diff --git a/secrets/stream_ulfm.age b/secrets/stream_ulfm.age index 73cc4bd..a59261a 100644 Binary files a/secrets/stream_ulfm.age and b/secrets/stream_ulfm.age differ