email: email is semi functional, can send but it doesnot save to sent items

Unsure about recieve

applications/email.nix

@@ -0,0 +1,169 @@
+{ config, pkgs, lib, ...}: with lib;
+  let
+    cfg = config.services.skynet_email;
+  in {
+
+  imports = [
+    ./dns.nix
+  ];
+
+  /*
+  backups = [
+    "/var/vmail"
+    "/var/dkim"
+  ];
+  */
+
+  options.services.skynet_email = {
+    # options that need to be passed in to make this work
+
+    enable = mkEnableOption "Skynet Email";
+
+    host = {
+      ip = mkOption {
+        type = types.str;
+      };
+
+      name = mkOption {
+        type = types.str;
+      };
+    };
+
+    domain = mkOption {
+      type = types.str;
+      default = "ulcompsoc.ie";
+      description = lib.mdDoc "domaino";
+    };
+
+    sub = mkOption {
+      type = types.str;
+      default = "mail";
+      description = lib.mdDoc "mailserver subdomain";
+    };
+
+    ldap = {
+      hosts = mkOption {
+        type = types.listOf types.str;
+        default = [
+          "ldaps://sso.skynet.ie"
+        ];
+        description = lib.mdDoc "ldap domains";
+      };
+
+      base = mkOption {
+        type = types.str;
+        default = "dc=skynet,dc=ie";
+        description = lib.mdDoc "where to find users";
+      };
+
+      searchBase = mkOption {
+        type = types.str;
+        default = "ou=users,${cfg.ldap.base}";
+        description = lib.mdDoc "where to find users";
+      };
+
+      bind_dn = mkOption {
+        type = types.str;
+        default = "cn=admin,${cfg.ldap.base}";
+        description = lib.mdDoc "where to find users";
+      };
+
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    age.secrets.ldap_pw.file = ../secrets/ldap/pw.age;
+
+    # set up dns record for it
+    skynet_dns.records.external = [
+      # basic one
+      "mail       A ${cfg.host.ip}"
+
+      "${cfg.domain}  MX 10   ${cfg.sub}.${cfg.domain}"
+
+      # reverse pointer
+      "${builtins.substring 9 3 cfg.host.ip}.99.1.193.in-addr.arpa IN PTR ${cfg.sub}.${cfg.domain}"
+
+       # SPF record
+      "${cfg.domain} TXT v=spf1 a:${cfg.sub}.${cfg.domain} -all"
+
+      # DKIM
+      #"mail._domainkey 10800 TXT  v=DKIM1; p=<really-long-key>"
+
+      # DMARC
+      "_dmarc TXT v=DMARC1; p=none"
+    ];
+
+    mailserver = {
+      enable = true;
+      fqdn = "${cfg.sub}.${cfg.domain}";
+      domains = [
+        cfg.domain
+      ];
+
+      #hierarchySeparator = "/";
+
+      # 100MB max size
+      messageSizeLimit = 100000000;
+
+      #localDnsResolver = false;
+
+      ldap = {
+        enable = true;
+        uris = cfg.ldap.hosts;
+        bind = {
+          dn = cfg.ldap.bind_dn;
+          passwordFile = config.age.secrets.ldap_pw.path;
+        };
+        searchBase = cfg.ldap.searchBase;
+        searchScope = "sub";
+
+
+        dovecot = {
+          #userAttrs = "uidNumber=uid,gidNumber=gid,skMail=mail";
+          # use the set email account
+          #userFilter = "(&(memberOf=cn=skynet-users,ou=groups,${cfg.ldap.base}))(uid=%n))";
+          #userFilter = "(&(objectClass=posixAccount)(uid=%u))";
+          userFilter = "(uid=%n)";
+
+          # "fix" until userAttrs is fixed
+          passAttrs = ''uid=user,userPassword=password
+           user_attrs = uidNumber=uid,gidNumber=gid
+          '';
+          passFilter  = "(uid=%n)";
+        };
+
+        postfix = {
+          filter = "skMail=%s";
+
+          # these may be reversed???
+          # https://gist.github.com/calbrecht/bca39174f39a74e52a6d05bf630ad495
+          uidAttribute = "skMail";
+          mailAttribute = "uid";
+        };
+
+
+      };
+
+
+      # feckin spammers
+      rejectRecipients = [
+
+      ];
+
+    };
+
+    # tune the spam filter
+    /*
+    services.rspamd.extraConfig = ''
+      actions {
+        reject = null; # Disable rejects, default is 15
+        add_header = 7; # Add header when reaching this score
+        greylist = 4; # Apply greylisting when reaching this score
+      }
+    '';
+    */
+  };
+}

flake.lock

@@ -38,6 +38,38 @@
         "type": "github"
       }
     },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -106,6 +138,21 @@
         "type": "github"
       }
     },
+    "nixpkgs-22_11": {
+      "locked": {
+        "lastModified": 1669558522,
+        "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-22.11",
+        "type": "indirect"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1673450908,
@@ -137,12 +184,66 @@
         "type": "indirect"
       }
     },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1670751203,
+        "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
         "arion": "arion",
         "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_3",
+        "simple-nixos-mailserver": "simple-nixos-mailserver"
+      }
+    },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat",
+        "nixpkgs": "nixpkgs_4",
+        "nixpkgs-22_11": "nixpkgs-22_11",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1684569145,
+        "narHash": "sha256-Dr8KAgjiGuigTgEp7zFO08zPA5o0RxzoPad+oDtg/G0=",
+        "owner": "mweinelt",
+        "repo": "nixos-mailserver",
+        "rev": "5d13cf0550bd5b201b28f116acc5f4b19dd5d753",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "mweinelt",
+        "ref": "ldap-support",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -11,9 +11,11 @@
     agenix.url = "github:ryantm/agenix";
     arion.url = "github:hercules-ci/arion";
 
+    # email
+    simple-nixos-mailserver.url = "gitlab:mweinelt/nixos-mailserver/ldap-support";
   };
 
-  outputs = { self, nixpkgs, agenix, arion, ... }: {
+  outputs = { self, nixpkgs, agenix, arion, simple-nixos-mailserver,  ... }: {
     # https://github.com/zhaofengli/colmena
     # colmena apply --on agentjones
     # colmena apply --on @dns
@@ -55,6 +57,9 @@
       # Gitlab
       glados = import ./machines/glados.nix;
 
+      # email
+      gir.imports = [ ./machines/gir.nix simple-nixos-mailserver.nixosModule];
+
     };
   };
 

machines/gir.nix

@@ -0,0 +1,57 @@
+/*
+
+  Name:     https://zim.fandom.com/wiki/GIR
+  Why:      Gir used to have this role before, servers never die
+  Type:     VM
+  Hardware: -
+  From:     2023
+  Role:     Email Server
+  Notes:
+
+*/
+
+{ pkgs, lib, nodes, ... }:
+let
+  # name of the server, sets teh hostname and record for it
+  name      = "gir";
+  ip_pub    = "193.1.99.76";
+  ip_priv   = "172.20.20.5";
+  hostname  = "${name}.skynet.ie";
+  #hostname  = ip_pub;
+
+in {
+  imports = [
+    ../applications/email.nix
+  ];
+
+  deployment = {
+    targetHost = hostname;
+    targetPort = 22;
+    targetUser = "root";
+
+    tags = [ "active" ];
+  };
+
+  # add this server to dns
+  skynet_dns.records = {
+    external = [
+        "${name}       A       ${ip_pub}"
+    ];
+    reverse = [
+      "${builtins.substring 9 3 ip_pub}    IN     PTR    ${name}"
+    ];
+  };
+
+  # we use this to pass in teh relevent infomation to the
+  services.skynet_email = {
+    enable = true;
+
+    host = {
+      # pass in teh ip (used for firewall)
+      ip = ip_pub;
+
+      # the name is used for dns
+      name = name;
+    };
+  };
+}

machines/vendetta.nix

@@ -61,9 +61,6 @@ in {
        external = [
          "${name}         A       ${ip_pub}"
          "${ns}              A       ${ip_pub}"
-
-         # needs this, temporally
-         "mail             A       ${ip_pub}"
        ];
        cname = [
          #"misc             CNAME   vendetta"

secrets/gitlab/db_pw.age

@@ -1,14 +1,15 @@
 age-encryption.org/v1
--> ssh-ed25519 V1pwNA IOb6wPqymDlfE5GaRfa3GTL27wqgcekApo/qCoPSXz4
-rJx72HZRS55Zg99/DDRu7ESUOwyvTyfqc7QPk5EyVoE
--> ssh-ed25519 rIwlvw pe+EmEcqFCveKudkObc16bj3NqauA3M8vjzTd0FoxFI
-pqzzusOOZ84kPKB+CVOwKJpQUF2hwkzI7YcTxWESw/0
--> ssh-ed25519 q8eJgg BS44mKwwzaDCmh9Uce9OBij0ZL/AqynMO45eEjd4QBM
-3wpAfqahoT2ookuR92TKFjgwCM+6hmWmrikjZaTY5/Y
--> ssh-ed25519 uZzB3g Zz/cbglOs3Il55yt4OIIyVULiaSZdsp3CZ10cSvJ5yk
-0KrYOL6VxpzemHFjyMDFkcAveVX3ADXDN928DCus7sw
--> NN-grease sCx=PO( 6!N8`ix
-zky9jZ8A
---- k917T+C0/4+P8CqCqY6aTg+ITePJ/n3LZxiF1ZmGIoI
-œz>×@¿<>…ñùrî„<C3AE>š¯Dº—ó<E28094>*ÓµJÅ­ù=·›÷xüjN^žŒ$$*ç/<2F>¤`¨ps]DÞCƒ­Ü˜×ã}™<…¿ò;:t"”MAˆ!\ŒœäÊÏ5e¡…%<25>€Ž
-7ÌB<EFBFBD>:{Ó©zž â;B:_A²Æ³“¡óg«üç$»ÁçЋïv-'Å€Ò­RBbq›<|/®ÅÝ
+-> ssh-ed25519 V1pwNA EbcKNppMc8Hq9CzalGP8tvYMl9qLyKQiiNILhw1l4zA
+KSeA3rVxWG2ID+k3AE9lBrGjEqRFLohhXzQBxxaAcoc
+-> ssh-ed25519 rIwlvw dAEdSuZAdPKzGGm2v9fcZCMnRlqzQDoGXOtyuyuuezo
+VcvtlisTT4HAih5rvUwDf1nTO6WHCzu7IYmkc5MTxvA
+-> ssh-ed25519 q8eJgg vYulFK34+SJmclt6MzOQ90dsl55Hm6jinU7ZQGOzT0Q
+BUnfjyd+RVUvgtO5oV6OtBzDFvVeRy4VG/9IJ5tLp0A
+-> ssh-ed25519 uZzB3g KqwwJMZpsdu6dMeiJFD0ElSnzXKtD5Y5e3KsharU8nU
+zx8ILlqatXmVCbz91HK+gipiCA+UY6gITB1hYGluzJY
+-> vcbD%9-grease } b->U-FWa P-
+kNm0DVuSdtvR0wFNkOpMig
+--- dLxnlUZ24wxKq733+FBkyCh5PLRHjxv+oza/07SIC6w
+nDä½~ápëAš}ß=IJÚDß•Û¡29œµH
<0A>y,¶ª¡—EC;§|	æ4¿¤xT	8¯6<øT‘Ñf±ÏWâì®<<11>ê*N™sÃZd¥‰<C2A5>qÞnÿš©—;ž¸¾ôNÑǾ¨á)êZ„ñò¥.<2E>TI«
+:jò¸Oe	Ž@
¸ä¿Û®D¼+rî°i
+aL
ýU^‘‘ñ5

secrets/gitlab/secrets_db.age

@@ -1,15 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 V1pwNA zDNOQBle5xm4szgmn2Dc9wATIJ62WvqFvZ0FdPu15gc
-wZZWDJPQlBxd1zapcnEsBeY/WscawxPFfriJpYSrsBA
--> ssh-ed25519 rIwlvw XTu6bV4GUK55mfVQzZGBZWx7MFfmwS02phXKgN3OKQw
-MWMCcA6tfM0qwgMypwaZ2dAnXRe/3n8FY9AGhEXZJAQ
--> ssh-ed25519 q8eJgg FcTKuXjwll6kEqXZFUUHcHKqq4VzDxuXNSq93OoRxnY
-hR3hvGsTZrjNmowqLIWtftW5XqzLxns4QL+kop/UFDc
--> ssh-ed25519 uZzB3g MTh3/nKjbNyMkmq5zZ4GS4fakylSgfAsEzwkX+jHeXA
-TUIwfWxXCUUrKnKhK6KjzjGXfVcV260BFRPXr/fiVB4
--> Q34)S:o=-grease
-/04lX+TiKjQn7mf/TcrjNlkIO1CdWZ/tNI+BpOmjUA2DvdagkV89nq8OHRykjX9O
-me5XZHZdcIP7WFpPXWQZDnkl
---- GApKhoyIlXNDiNORp6Lu0qaSvxHQw00Mz8l9ca2YHoA
-éÂ<EFBFBD>—›„IWÈ:úÊ‘gè´‹'âù"<1Q)ØéÁen5÷gr”"DÈ0ƒ×ºÔèÐ;®q*˜o¡Ä@K9&<26>±g;¸Ý9Ê€o¿¶’(XNHÔ«³ŒKÑÔ¶™@HAbØZz·t´g×ðÊí°¢!A¾$.Ïr'à¬É­z6›ݱC‡úMU’·°î<C2B0>¤˜é(P
>ôw]»§
-ýA V(ÿ¯ê
+-> ssh-ed25519 V1pwNA jPL12+E4d4aPmxgrzGHkFqccSHIRBcB29O+5cwIbVWE
+ij9TOU52WvYACeZpKnxYysp5tLgtSe1hhxSU6JdFxss
+-> ssh-ed25519 rIwlvw meBrACSZjoiuEtF40Yi5767u1EEKPPevOmBAyS9Z9mo
+dwI1Kdpyg101rgAYw0LG4OxvcX2qb4uLYv9/vtqVLiQ
+-> ssh-ed25519 q8eJgg vV2lfHL6HVEo6q7hvht8aJNDyPjL+ZSiw1Q16zGFYTk
+Z+u2a3CbIQIhU9Syy4iSnOyi/QpygL5lrV3ABGUlXxs
+-> ssh-ed25519 uZzB3g 1sGZCRGyBXwN027g2tj+fTk1n+bytxQ7ecXFYD5OugU
+Lbmx3Rgh3PcgEDDbQpByHpYbWoa/iSnpBOHycDxviCo
+-> jb2y@E-grease BY k0nF v\N &~-`QA
+QXL29erKeT1jWkmcSmBz2IahR0op0MvneWIGcqdA2/kv0OVHuIAGMDgnxcqsxijB
+CAxFxgKtVHRisrKx5EgZ2o5VJfjFYCspEDZEf1bzH33EiNvSz7ennulAxA
+--- qNvRPXLiwBSUuVegfVLgoALYgF3vkGxOxdOurWQzoG4
+Ì.>ìY<C2A2>¾{îOùžk2ú°µÄ3ãFFóï8›‰z¾a<C2BE>iëc;±¸_Y6ù··º‚êö÷`¼s,˜Y[dL™¤
:ÿÐÅ=¢“žœ‡§Höÿßm3s–Óúï¢'‡Ì­çƒTô[,ùëÔ¹5Ù)›™'–mÕŸ|»¿dú‚Ï”v¨—J˜&ɨ„*$Án=ß!âX8ñåp%<25>>[O$Ï

secrets/gitlab/secrets_otp.age

@@ -1,14 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 V1pwNA kZwcudEAwSOd+jJ22NnvNlt+fNElnJufPhxIiNLLm3c
-DhhvCQbQE+7CDSDFnmpC4BztM6yWGEhGnS8foyVtv8A
--> ssh-ed25519 rIwlvw q1gCRBLEzBM6sMvpNiKn/DCBlh7jGayVtIq2ifFutX8
-uXilx2tRp/l0iuHLRqGFD7JzOsvNhC3YWCFYbDSnCAE
--> ssh-ed25519 q8eJgg myE1PBgDBdSV3YoRY5WLU1FCN6SomE4OUIT7RTT/jks
-20LCHmVHbTf+Avvtc02IVtQzppnmYmUXx1q/h2bNC1o
--> ssh-ed25519 uZzB3g AgY9YaVBna+M11ENambBCo7WC2NVBv6i34xNrl8sPw0
-4yzCr64HqVDdMTYSraUDOFhtOdpf0/ULvS1278IIXZo
--> b$y90E6m-grease jp O jm8Y>| n(/.tZ
-+SC2qx0vhLmdBol0asd5W8NRY+b42SBVHgYyEh/wWmFitA
---- 3CziwJgcWnyHyWTyrK6ru9Pd2Tmk/Acn+/mSsdl1FKE
-Wì¿i}X“œËgM¶'þ2OqùšfpÐÉÇŽÉ£~ðu#èýÂVè.H’M¥ÃøûŠÖ<C5A0>
-·V1<56>ª9<C2AA>IôÖmè7}Ùïú”X‹Ay¶
U<ÒУfôU÷1—ݘB$Å>ŽyýEHòM¹øwQøp
ƒ²>€Œx]ps¬šu!ü„âöÙc“Û½äÊl<C38A><6C>>yµÌœÙ¢V¬i
+-> ssh-ed25519 V1pwNA yv25GV2kuwXTU/hxE34ybWt5a8EqJ/VlQ44q90FiFhw
+O5Y236IJujwbJKRceCmqWzmeMT51Lg2GOoxVybV2kos
+-> ssh-ed25519 rIwlvw Ivvet9xAdzT3cONFxCmB2KoU7R672hlFVS6PN9H8YkQ
+3NtQR7IpeSkD+aKoOH4jUeSDRu3+xpR91WHQnu0XmJE
+-> ssh-ed25519 q8eJgg vXlcQKk/QsGht4oPTbpOI3SIA5qq6htalZaC4brpNFI
+FQzb/TcZOqtK0w7AxYeB/hNNQ0UwKn8YadyjoHmXiY0
+-> ssh-ed25519 uZzB3g IWEkV5hOPb6iBpgNByNQfQkMoUITXZkHVLKkI/qA3AQ
+UJoXL/i656DfRNzQyPKKpzLgXGWw5mPhvQrR8IyeDWI
+-> p3}N/u>-grease gui
+4R5c1q04NPXKYCuHBmLXYdUW2z5/fCLaTp8AV02MpZ1W458NBqDG9gsXOBcg1o1i
+eA
+--- 0iTQml3iIebXgWCeK6gBu7MjW2iVa1AmUherR1lRqa0
+±—ê<E28094>CQnÈÓŽ¨âU!FVUb³KÃ,Hƒ¿iË U¢„)s•Ë)“Ûû5ÚØâËŸlVàRšýõ&2‘‘1Éße`x(°U5bÁ/Á¿n/ÌVÔgN)–<>
úðOE:ºñÒç½ëˆ¬õ\Q~5
ï® )„vFç¼&mEõš{ûL×µÂÝXF?ö<>ù柩àKäÎQXÛº´

secrets/secrets.nix

@@ -27,6 +27,8 @@ let
 
   kitt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPble6JA2O/Wwv0Fztl/kiV0qj+QMjS+jTTj1Sz8k9xK root@kitt";
 
+  gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir";
+
   systems = [
     agentjones
     ash
@@ -39,9 +41,15 @@ let
     vigil
   ];
 
+  email = [
+    gir
+  ];
+
   ldap = [
     kitt
-  ];
+  ]
+  ++ gitlab
+  ++ email;
 
   gitlab = [
     glados