From 310de525df085fd6b056d0899ce28c526f9d8571 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 16:10:21 +0200 Subject: [PATCH 1/7] Update vars via generator mail-server for machine moritz-server --- .../mail-server/main-password/secret | 15 +++++++++++++++ .../mail-server/main-password/users/moritz | 1 + 2 files changed, 16 insertions(+) create mode 100644 vars/per-machine/moritz-server/mail-server/main-password/secret create mode 120000 vars/per-machine/moritz-server/mail-server/main-password/users/moritz diff --git a/vars/per-machine/moritz-server/mail-server/main-password/secret b/vars/per-machine/moritz-server/mail-server/main-password/secret new file mode 100644 index 0000000..ee589ab --- /dev/null +++ b/vars/per-machine/moritz-server/mail-server/main-password/secret @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:5oAUAp4PErA9oUhWjH6MVij1kee75gA1IM7lfGJkZso=,iv:YkT3bbDPIKbj4QFFQmBdkAlYQzoJJDP78mkMx3a78rk=,tag:w0y/YHvHFPwYweQrDW3raQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqcFBRZnR0aE1xcjlSWjlx\nWTl1TWUzMXk5SmhPN29hcGg1WkV1VXRDTGpvCmZwZlpCUGloL1FuRFVKVnJ1Z1VW\nYzNDZFVzNlk2NjM3UkxyanBIY3FxanMKLS0tIG5zN0o4YlgwaE9CRWRMY2E0cmJF\ndGJvS0EwQUM0bSt3SFRuTjhwYm1XSDgKRR6tZNK/INrIIZyCsyXYp5Ss9JJnw8PT\nP0qWCB8WDW7K7eOL8LjlcIAVNdxvhbWX+rq6vG9xEORFXc7fgg9UBw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-05-14T14:10:21Z", + "mac": "ENC[AES256_GCM,data:zWC5iZDyW0bPpMhuqkj+31Rijp2ibeUbLPPgXeOygMpJy+8vix2BvzWXInKCobCVGXMw8PGMSJFFimBCTA/qxFGzLpnfMpPU8+e/0NlaaGKdsi8G7V972Uq0+1p2pJ0lz4TTp2FEfdFbcQVJOI74XE8X5cWvY71tPiZprZ2Jw6Q=,iv:O7R0aAnQbIg0LI11vFy5edu2gkq/ID2VJ9KycxUtEEc=,tag:Ckl7HxAHqAVyYKv9L74p0g==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.1" + } +} diff --git a/vars/per-machine/moritz-server/mail-server/main-password/users/moritz b/vars/per-machine/moritz-server/mail-server/main-password/users/moritz new file mode 120000 index 0000000..1b45802 --- /dev/null +++ b/vars/per-machine/moritz-server/mail-server/main-password/users/moritz @@ -0,0 +1 @@ +../../../../../../sops/users/moritz \ No newline at end of file From 432f88def477f2c8199c8f35163e8b13e6d9d797 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 16:16:23 +0200 Subject: [PATCH 2/7] Update vars via generator mail-server for machine moritz-server --- .../main-password-hash/machines/moritz-server | 1 + .../mail-server/main-password-hash/secret | 19 +++++++++++++++++++ .../main-password-hash/users/moritz | 1 + .../mail-server/main-password/secret | 8 ++++---- 4 files changed, 25 insertions(+), 4 deletions(-) create mode 120000 vars/per-machine/moritz-server/mail-server/main-password-hash/machines/moritz-server create mode 100644 vars/per-machine/moritz-server/mail-server/main-password-hash/secret create mode 120000 vars/per-machine/moritz-server/mail-server/main-password-hash/users/moritz diff --git a/vars/per-machine/moritz-server/mail-server/main-password-hash/machines/moritz-server b/vars/per-machine/moritz-server/mail-server/main-password-hash/machines/moritz-server new file mode 120000 index 0000000..f18ca49 --- /dev/null +++ b/vars/per-machine/moritz-server/mail-server/main-password-hash/machines/moritz-server @@ -0,0 +1 @@ +../../../../../../sops/machines/moritz-server \ No newline at end of file diff --git a/vars/per-machine/moritz-server/mail-server/main-password-hash/secret b/vars/per-machine/moritz-server/mail-server/main-password-hash/secret new file mode 100644 index 0000000..9817c3d --- /dev/null +++ b/vars/per-machine/moritz-server/mail-server/main-password-hash/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:vUQpItSZ0PCFbvG7+dPN0t7BIU7hWNxSZBWRBXXDnoV/X4H7Pii6v2evk1p2v6nKbDLlFmrYmipGvDwqU7x5i4aYUfL4XLythfZ8/H8ZjqQsa58jr/L9BqPEyngdKp959NHvBbzBYEO7+Q==,iv:yYpORYLxp4Cniq3MARN4UvQGqq/OVO9drIDJ//IItgg=,tag:q2MXgoPHpYqR3S7hyVHarQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYdFF3dHR5RXgwRlBvbHBy\naW5OaVFXYjlsemlycSs5RlpyZjgrcDkweFNvCmhiOU1uRkZnK3pveTYvajlXbmha\na0JRdEl1TjFtc1BOcUF4c1U4am1sTEkKLS0tIE1tb2RRZTZpYW15b3JIR3hycGJD\naE5DOE9NM01mOGhSRUN1RmlnRy9nb2MKKIRwt/N0YDzxvzgTkrEsWgvagZHKmvt2\npU7gYJyS/p192SxcKELffJ4ycbGBNDt8mibFkdFayc07c0zoJ/tgbQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1wwlwwv9gscl9z6k59z6pp8hcay7vehvqp6y5f85pjyd9seqe8s0q5dkmr4", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwTG90SUhKdkJxenUveDdS\nbE1KZTQvL1dzcEtXeWhBL3FDSGpSYUVSRWxBCjMxU0M3VmtUc1NrT1A5NEorb2lK\nbG1vRjZDMEl0TGlPaFVWZmVLWGtWRXMKLS0tIGxoc280R3dmd01qbUMxeGozMHE3\ndE5BS2VOVFhsaFExaDdpcGVMYUZ0Y2sKuFdgKS0dftMHAK3cmtG2n4D4eM+bLfCm\no0gxVOwx5EktRJh6r+Ph39X+6OfJ7TXWGsxqRyqcvwr+r0tZNozNZw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-05-14T14:16:23Z", + "mac": "ENC[AES256_GCM,data:9f+LQUfxdDl6KoYGYlmdSc3yvHTMsltMe7z/KCmPztKNnoPhvGjezejMsbFWtBRaEZxBAd0PlKDZCg7+JJEotQtqgcOPJChlEJRUYaJlOcrl9zK8C0JmWZwydPWu5Pzy5/cmRiRQIuDR9A8Zbj7tFEdegGR6Mg9OPehSTOrA1PQ=,iv:7Vvs+0e691Najwh4paUBSkMaYDhl6otFAXr56FzESMo=,tag:6MJwZHNZuz+oM3cKyetFYg==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.1" + } +} diff --git a/vars/per-machine/moritz-server/mail-server/main-password-hash/users/moritz b/vars/per-machine/moritz-server/mail-server/main-password-hash/users/moritz new file mode 120000 index 0000000..1b45802 --- /dev/null +++ b/vars/per-machine/moritz-server/mail-server/main-password-hash/users/moritz @@ -0,0 +1 @@ +../../../../../../sops/users/moritz \ No newline at end of file diff --git a/vars/per-machine/moritz-server/mail-server/main-password/secret b/vars/per-machine/moritz-server/mail-server/main-password/secret index ee589ab..6a271dc 100644 --- a/vars/per-machine/moritz-server/mail-server/main-password/secret +++ b/vars/per-machine/moritz-server/mail-server/main-password/secret @@ -1,14 +1,14 @@ { - "data": "ENC[AES256_GCM,data:5oAUAp4PErA9oUhWjH6MVij1kee75gA1IM7lfGJkZso=,iv:YkT3bbDPIKbj4QFFQmBdkAlYQzoJJDP78mkMx3a78rk=,tag:w0y/YHvHFPwYweQrDW3raQ==,type:str]", + "data": "ENC[AES256_GCM,data:AkZ88cgYhjHlNfiHkRBhWOznbtEAKPjvHcpN8Y5bhbM=,iv:pzQjlxc8sMkprvYWhEEXHqkJQZjAQ8U2Y5fIh0ft2sA=,tag:3CU2YJGVPe4tayMJ8U9nLQ==,type:str]", "sops": { "age": [ { "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqcFBRZnR0aE1xcjlSWjlx\nWTl1TWUzMXk5SmhPN29hcGg1WkV1VXRDTGpvCmZwZlpCUGloL1FuRFVKVnJ1Z1VW\nYzNDZFVzNlk2NjM3UkxyanBIY3FxanMKLS0tIG5zN0o4YlgwaE9CRWRMY2E0cmJF\ndGJvS0EwQUM0bSt3SFRuTjhwYm1XSDgKRR6tZNK/INrIIZyCsyXYp5Ss9JJnw8PT\nP0qWCB8WDW7K7eOL8LjlcIAVNdxvhbWX+rq6vG9xEORFXc7fgg9UBw==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBUEhJdTRDcXlIRE4rREc1\nMnJZc1dBSjZwVVhSSWs1MzJIbkE3a1NoK2hFCjlOWnZhVUI0V1BSWnVoOVZ4Rndj\nQzhBcVl6SGhoak9lQWZTN2c5b2doMjgKLS0tIFB3ZXYydVVBZWVVbTUrTkgwR0o0\nQkhGWlZFc2JWVkpvZGhTUVFQVU9DMHcKvQkOm044Aro20YXKCQ0XMDJy9wfa4Zev\nh3toOumU+Du9+4SvItWyKV8RpRfXHGVGwpdDyvDyR9vdkNehu/4AIg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-05-14T14:10:21Z", - "mac": "ENC[AES256_GCM,data:zWC5iZDyW0bPpMhuqkj+31Rijp2ibeUbLPPgXeOygMpJy+8vix2BvzWXInKCobCVGXMw8PGMSJFFimBCTA/qxFGzLpnfMpPU8+e/0NlaaGKdsi8G7V972Uq0+1p2pJ0lz4TTp2FEfdFbcQVJOI74XE8X5cWvY71tPiZprZ2Jw6Q=,iv:O7R0aAnQbIg0LI11vFy5edu2gkq/ID2VJ9KycxUtEEc=,tag:Ckl7HxAHqAVyYKv9L74p0g==,type:str]", + "lastmodified": "2025-05-14T14:16:22Z", + "mac": "ENC[AES256_GCM,data:ttVVdprPzuwOic9GryqMpYx3SdEk27vdBxkOy/wwiVcJiuUABCC2fwk0MTP/mjmtYLXW/KEwX9Pvyex4SnYJ9v7HzrgvxoR7fW2S9uTXAnAu+wau5GZ8vywZu6SnzOWon6r5DGJXdHHPTXPeo09YgwDNjfSlwaFLlm10Mo5yQKU=,iv:kvsiEtVYEg6yWqRblo/1sjXaU5PRGRde1aCwMy487Wk=,tag:FmWIAVM2DVHDNVzlKNfRXg==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.10.1" } From 28ae135d00a637e57459bccd8aebba2b451a8b7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 16:55:53 +0200 Subject: [PATCH 3/7] feat: add mail server --- flake.lock | 73 +++++++++++++++++++++++- flake.nix | 3 + machines/moritz-server/configuration.nix | 1 + machines/moritz-server/mail-server.nix | 73 ++++++++++++++++++++++++ 4 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 machines/moritz-server/mail-server.nix diff --git a/flake.lock b/flake.lock index 26058b1..702ded0 100644 --- a/flake.lock +++ b/flake.lock @@ -33,6 +33,22 @@ "type": "github" } }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "clan-core": { "inputs": { "data-mesher": "data-mesher", @@ -239,6 +255,22 @@ "type": "github" } }, + "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -802,6 +834,29 @@ "type": "github" } }, + "nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat_4", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-24_11": "nixpkgs-24_11" + }, + "locked": { + "lastModified": 1746937334, + "narHash": "sha256-7g2GSePdYbpD1v5BxEVSCJ2Ogf4K5rc9sBB81FervUY=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "da66510f688b7eac54e3cac7c75be4b8dd78ce8b", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, "nixpkgs": { "locked": { "lastModified": 1736344531, @@ -817,6 +872,21 @@ "type": "indirect" } }, + "nixpkgs-24_11": { + "locked": { + "lastModified": 1734083684, + "narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.11", + "type": "indirect" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1744309437, @@ -1014,7 +1084,7 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_4", + "flake-compat": "flake-compat_5", "gitignore": "gitignore_3", "nixpkgs": "nixpkgs_7" }, @@ -1048,6 +1118,7 @@ "niri": "niri", "nix-index-database": "nix-index-database", "nix-monitored": "nix-monitored", + "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs_5", "nixvim": "nixvim", "nur": "nur", diff --git a/flake.nix b/flake.nix index 1be4ecf..50601a6 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,9 @@ inputs.flake-parts.follows = "flake-parts"; }; + nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; + nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.url = "github:nix-community/home-manager"; diff --git a/machines/moritz-server/configuration.nix b/machines/moritz-server/configuration.nix index a2e4b52..1fce48d 100644 --- a/machines/moritz-server/configuration.nix +++ b/machines/moritz-server/configuration.nix @@ -5,6 +5,7 @@ ../../modules/moritz/shared.nix ./reverse-proxy.nix ./ddns.nix + ./mail-server.nix ]; time.timeZone = "Europe/Berlin"; diff --git a/machines/moritz-server/mail-server.nix b/machines/moritz-server/mail-server.nix new file mode 100644 index 0000000..b8c7fb3 --- /dev/null +++ b/machines/moritz-server/mail-server.nix @@ -0,0 +1,73 @@ +{ + inputs, + pkgs, + config, + ... +}: { + imports = [ + inputs.nixos-mailserver.nixosModules.default + ./reverse-proxy.nix + ]; + mailserver = { + enable = true; + fqdn = "mail.moritz.foo"; + domains = ["moritz.foo"]; + + fullTextSearch = { + enable = true; + # index new email as they arrive + autoIndex = true; + enforced = "body"; + memoryLimit = 500; # in MiB + }; + + loginAccounts = { + "main@moritz.foo" = { + hashedPasswordFile = config.clan.core.vars.generators.mail-server.files.main-password-hash.path; + aliases = ["@moritz.foo"]; + }; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = "acme"; + acmeCertificateName = "any.moritz.foo"; + }; + + clan.core.vars.generators.mail-server = { + prompts.main-password.type = "hidden"; + prompts.main-password.persist = true; + prompts.main-password.description = "You can autogenerate a password, if you leave this prompt blank."; + files.main-password.deploy = false; + files.main-password-hash = {}; + + runtimeInputs = [ + pkgs.coreutils + pkgs.xkcdpass + pkgs.mkpasswd + ]; + script = '' + prompt_value=$(cat "$prompts"/main-password) + if [[ -n "''${prompt_value-}" ]]; then + echo "$prompt_value" | tr -d "\n" > "$out"/main-password + else + xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > "$out"/main-password + fi + mkpasswd -s -m sha-512 < "$out"/main-password | tr -d "\n" > "$out"/main-password-hash + ''; + }; + + services.roundcube = { + enable = true; + hostName = "webmail.moritz.foo"; + extraConfig = '' + # starttls needed for authentication, so the fqdn required to match + # the certificate + $config['smtp_host'] = "tls://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + }; + services.nginx.virtualHosts."webmail.moritz.foo".enableACME = false; + services.nginx.virtualHosts."webmail.moritz.foo".useACMEHost = "any.moritz.foo"; +} From af3d317903271cdf1eb9d0a6005cb1c1fa361552 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 17:50:58 +0200 Subject: [PATCH 4/7] Update vars via generator ddns-updater-conf for machine moritz-server --- .../ddns-updater-conf/config.json/secret | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret index 1245742..e8843fc 100644 --- a/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret +++ b/vars/per-machine/moritz-server/ddns-updater-conf/config.json/secret @@ -1,19 +1,19 @@ { - "data": "ENC[AES256_GCM,data:xAfwazWdkDc86yIcFWuuBoyrGA/lFHzT6AKAGy691zM5Um6QAREZo7gCyuGLmRs5zu5mDkg4M5xAYwja0PYOfWvBiOLcYdFwzeeYqfFv7B9FSwGCn45EIRhFZOJH4VXaZDUDTsNN5RgwJbjl9d4exveJr8a0XBVZzIn/OK6tT2VnBcTRFw3Wd7LoVwXl/gXaHD9G8DTgJLmH16zRnvFw2o33ykRItHo5mfpkRJiX1Wv432ir9WOmUN5DOVYAXQrBdk9llId3hURqhWfPcysJzpESJBK8EdnkSq0PBJRTmRo+kMxXhVKCph0r9Pzg1zJxzChr28ZNWD2aumF0O59uNc7+XE7o4dd3eMK1sQ21VkRScgeJTTGtYxbMXEMplO2+yPw=,iv:x0ALrHu5i9UAn2nA2WcckOqBVBcOmLzIgvwS5ZADXSA=,tag:Y5agVeJwMFrikJrXZ3UtiQ==,type:str]", + "data": "ENC[AES256_GCM,data:MHXQQ3wglo2QGn15SE9nxOlLmn/UMxSWBzxGt1IdeN9o0MfpG6gNYpErKaOfaZXtJSqFkMEf0rY5uCzhufet/l7htDTrIFNpw1mXfJnJJq/baMcFK+6Fg3gr/ozo9qPj4a4Pl7CqC8iEBnnVHFkAp9rAkguuGYRgEE0wq4SCnJI5QkCh4AHrzNRz6WSantip1X8MhmsekCyoKg3JbkcaP94uEo/ttfRd4dm7talk5Nah2SIdVAicCbm5O1BQ1yatSL7zVuCi6IWPrkMvaJle4sjGDv18zj4gkMVQ+987MvC3DZ4HSXJIS+k5nlGPdXKjl3uEo+Lo/M9kMi/YTezuaHMlwIJ5s0p2Q18nBT8iNd1Q9Lgd7G4GrJZkpdT/9Vld,iv:HYLtql782z3xkwDBiBBq1b+Yo86MWcBflvd5SdK+GWA=,tag:RXGY/wGZNUYzmxcSATtqjg==,type:str]", "sops": { "age": [ { "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbTBrRzFxeDBLaWFHcWpa\nRUl2d1l3OTVhVkZvKzd2NW9lb0c5UjI1ZkJRCm5oSVV2TXdya0NhOG5qUm04NXdH\nek9nYjdtTVhHTHhuTjJGZk9jOWhUQlkKLS0tIEV2NFNCdEFuWCtONmMyYnYxdE5n\nTDJlSnlUY3g2WkxWWXBBZXZudWJnd1UKKYHj7q6Vto5+fSfZyi4Gw4kTBcP+aMzX\nmGbYPi5Gik9EU8AIrB0tD5H3D/ZSD2N0I3AfIgLlC69wcYxlf8XtnA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0S2d4K25EV0lOYUJoTGt4\naU9SZW9neklKbUZuZzNLSlZyK1NRSnhkR3pZCmxvUVN2cFYydkc4QTZRVnV5T1VD\nS09MUWJDdnJjejRQdGxMU0VPeklyNEEKLS0tIDlNTHNaZHlvVlRIS1RHTjVIalFs\nUitZK2VyeThVTG5HQW55L2Z4TkdBalUKY3s+DfVR6tpztpLpXoH4tVOiVI7wmKiC\n/N9OwUMVG3Lv4HjE5EuVR6EqmjzQ1um709lUF2cdXIS6+e6tXhD9dA==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age1wwlwwv9gscl9z6k59z6pp8hcay7vehvqp6y5f85pjyd9seqe8s0q5dkmr4", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWZHdKb0MzdHA1MzNJVFhs\nNU44a0tGYTlCbXI4bU5wTDAwcEF6RThXb1ZBCk9iWnFQRFpqK3J1ZEMxd1Z2Ymdt\nNGVidjE3OWl6Nm4rL01SVi90NjlyVHMKLS0tIG9RUURLSVd6bUhNbE1kNFVRanFV\nQzZMUmNkNTlHNmtwR2xzL2laZzZVMFEKYTj14fT03nW+RGKlCdKtffA31tRBMnuo\nY/6SAAWGm0pqUP0mGT4hKr/5bSmFcMoTEy64LVBkWU0dd2dIn5urCA==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvYWM4a2thUjR5T3U3aGxN\nSjV5eUdwZVNBbWIxcGFyWFBvS25ybXNmZUdZCk9vRFAvSWx1SVpNR2NqbU95M29U\nY2RwTUtsQ0s5NEJTTy9GalBpMisvYTgKLS0tIG8rR01ubzZubk9UTFdtc0dNQTJp\nM1lpSEI1VTE2Y2RYblNWSWFmRGZ2b1EKdHVAc9qGXw5reK8wEplciJG8drGNYSMh\n4eI7l9U4mbKTD8N0iCc8I/qI/V/NUEoK97WfKR3eEqFgUPG+5RTx1g==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-05-14T11:53:23Z", - "mac": "ENC[AES256_GCM,data:Eq8h9tW+T8Fcl4/jYKC52xGZAGs5DR9vsYBYdCAfTmoz4HfowA/zfn7QY8Yqn3Mf3ifh7uUZD2GyEq3E3v18VZe6yTRlTsVsC1pm1Jl6lN1OXOOV/kowcsLE8o7mRMrGqSozjRYVZUwzaR49B1vPYwX44rpNLQmie+BCZBCNI8M=,iv:Y8BMtJzQryO3tepaAPgWI7ngdKKGLF0rrlyQWLF3n4E=,tag:r9nmFgzDmaxJaF8gOuZhKA==,type:str]", + "lastmodified": "2025-05-14T15:50:58Z", + "mac": "ENC[AES256_GCM,data:/4S7NCfwHQcBIFmz4NbUjIbF1n7SnBobcaN4g/RTEhDWxBbKIs4xsbNQLhS80n0esxYR8h+gmxv5rpxgwhqBsk89qTKmaWn2B1BCzjKx5jSEiY0El73/ci/ltHRaJzTbGdDFWA+G0L30KQk/gwcxOGlj/BzYiWW54V3me0JPJOc=,iv:zVmd388h9pK62M6JvBS0CriazSSBSRbFBzje0ThHDgw=,tag:NNvFA/ardkpDMrJH+J0LYw==,type:str]", "unencrypted_suffix": "_unencrypted", - "version": "3.10.1" + "version": "3.10.2" } } From 66db3a458c6ebdd594eea7226bd7bd084a39f1ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 18:07:14 +0200 Subject: [PATCH 5/7] Update vars via generator borg-mail-server for machine moritz-server --- .../password/machines/moritz-server | 1 + .../borg-mail-server/password/secret | 19 +++++++++++++++++++ .../borg-mail-server/password/users/moritz | 1 + .../borg-mail-server/ssh.id_ed25519.pub/value | 1 + .../ssh.id_ed25519/machines/moritz-server | 1 + .../borg-mail-server/ssh.id_ed25519/secret | 19 +++++++++++++++++++ .../ssh.id_ed25519/users/moritz | 1 + 7 files changed, 43 insertions(+) create mode 120000 vars/per-machine/moritz-server/borg-mail-server/password/machines/moritz-server create mode 100644 vars/per-machine/moritz-server/borg-mail-server/password/secret create mode 120000 vars/per-machine/moritz-server/borg-mail-server/password/users/moritz create mode 100644 vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519.pub/value create mode 120000 vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519/machines/moritz-server create mode 100644 vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519/secret create mode 120000 vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519/users/moritz diff --git a/vars/per-machine/moritz-server/borg-mail-server/password/machines/moritz-server b/vars/per-machine/moritz-server/borg-mail-server/password/machines/moritz-server new file mode 120000 index 0000000..f18ca49 --- /dev/null +++ b/vars/per-machine/moritz-server/borg-mail-server/password/machines/moritz-server @@ -0,0 +1 @@ +../../../../../../sops/machines/moritz-server \ No newline at end of file diff --git a/vars/per-machine/moritz-server/borg-mail-server/password/secret b/vars/per-machine/moritz-server/borg-mail-server/password/secret new file mode 100644 index 0000000..b165eac --- /dev/null +++ b/vars/per-machine/moritz-server/borg-mail-server/password/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:R81lcIeP4/ZscX4OBsfQabtG1yzuMJgXDzibmIztX4k=,iv:pvuG5+/vKNyMvC0nhoqXU4GX3WERRAGvTncH61SUc+M=,tag:PIZqJy90KsIFOEqiqWlmOQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2b2Q4bDhYWXdpY2VYY2Fv\nakhTSVF6QXlrMWRVcGsrUjcvVVNvRlRnSm44ClJwNTk3YTRUa3ZLY051eHJqckZM\nSTFzVkZRdW9OQW4rWGM1c2VzZ2l2WVEKLS0tIFJVaWt1R1dzM3BVY3FPNEVXMWRZ\nUzBBZGFvZCtRV2hRS045U1o2eFBzZTQKzbGAsI3NwYkkwHU3jtiv4DCli0eaAwm2\nnNR2/4isse5SC/4tW25enwZ4FB/ptU6o8XTHEuM89KIyh9zb1lB2xg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1wwlwwv9gscl9z6k59z6pp8hcay7vehvqp6y5f85pjyd9seqe8s0q5dkmr4", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMU5NUVJ4TWo1ZHUyMDZq\nTjFuY3RXRlhDN3lSMU9WdUFJNzEvQmQrNEI4CjJKR3BTcXR5MWJLdERDUG1rbTI4\nV3JMMXRNTmFzZFR4TlZzYUc1eStHMVUKLS0tIFdsSU5IWGdtMW9tZjVKWmdDQ1F1\nVjV0TEhxbFU0Z0pCQ1g4Nk91Zm1IcmMKqbhk7UOn8xyQm9xuKE6Hc/5VDa92jTnJ\n/2CPMxgdan5ac0kIiBLe+Rzanl/O2UVX15VT3Bt8tDxV6/LTUWyFSQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-05-14T16:07:13Z", + "mac": "ENC[AES256_GCM,data:XuTSJVeQ8O2kWJlHYD+gbyhxWdeDy65wj/JSxWJjDy3o+tGOTUzBC4IblldE32V5UhUS+jGhIDMvuAFWw7SpHxR3UDW4iJs1p3/dmHIjjAvq0bLCy7iZwQvNQNh91HL/n3A0fHRfml1cp8dBTvUFbtAMUYoJVYiynnQJtjAhrB0=,iv:oPwoAo1gG8ZRoI6Ex6BBaKojlDcANdZCkk4tejkR7ZY=,tag:cCXdxyGYqI5Zfny+rB2Mpw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/vars/per-machine/moritz-server/borg-mail-server/password/users/moritz b/vars/per-machine/moritz-server/borg-mail-server/password/users/moritz new file mode 120000 index 0000000..1b45802 --- /dev/null +++ b/vars/per-machine/moritz-server/borg-mail-server/password/users/moritz @@ -0,0 +1 @@ +../../../../../../sops/users/moritz \ No newline at end of file diff --git a/vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519.pub/value b/vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519.pub/value new file mode 100644 index 0000000..9ba1f45 --- /dev/null +++ b/vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519.pub/value @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILi9t5Z8UyDuuEHCSLBuCECO8GIGSPbdVNInyWVOzJwd nixbld@moritz-desktop diff --git a/vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519/machines/moritz-server b/vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519/machines/moritz-server new file mode 120000 index 0000000..f18ca49 --- /dev/null +++ b/vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519/machines/moritz-server @@ -0,0 +1 @@ +../../../../../../sops/machines/moritz-server \ No newline at end of file diff --git a/vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519/secret b/vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519/secret new file mode 100644 index 0000000..020e71b --- /dev/null +++ b/vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:/xF50Sh6crQfPIOrH/yfV75BOhNIaJ2RSH1WZ1nFtzIftc+tfceQXGSjTG+NTEcca6dcjEcY+YUvgJxwzgv+vmL8BM3FpQfmm9xpA9IKGxn2v2IVUGeIQ4BEMlCwlmxYTBovpsvs0wgwKpBLBZ+frzhQR/AiCB73l1cicQd1UyYwRFzKRjL8GXdO6ido1z3b3j0a02u5VYAOcpzbmIrqppc97HpttsQO6PPnWzf03XOehBYgbbCBI3nZr3rHQyot5xW3VNcXq7peKdRYPV301aNtsFRuafczCsf162TfF5cP9PZ+nrahGby2ZojqZnVfop2qA3nm7YGcoz4pHYNDI8/N+Vyr4UPwGPFR7TYUL4c64zuG0rYiHl6VyEcja4fRt5eY3kva1+5Vt4uPPhqUrZSGKmRse4kolwZGO+UA4XJeIMbI78poPHQHNE2EpOiu3PkuASurA/zXNbWF/56moSUSisJgOoKbtfGCMNgEMD/kjZ6QJMnKBVHazDN+LFhJW7zUT8cPSm6/hI2WeNkFDPWPcIP0KzvVMoxL,iv:Bis5T+5Stq3jQrfs8mvBpzGd3k9MhsuNeiV/jadrRII=,tag:SVNKbB61izFu3xLHFc4QbA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTSk9DbllEU3BGWU9pc1Iz\nekhVYzBDT2kxSHR1eGN4SkZ2MjNlUzUxVVE0Cng5TGI2K0RwZVNhWlA1eEFIaTNP\neENOVXh1NFg5N2Q4djUwMzdkZmRVRUUKLS0tIHRSa0JvMVg5eDUrU0NNZUtESW1Q\nZlgzKzlqWVFTRnBWdkRkRThhajkzWlkK0G0QSRbM+2KwXk2YzRmPpkXxbQymLODh\nAYhe1rERYC0HbvdMomvzLtWII9vs1uviW9JarktGMtB9WWgzeN4Mxg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1wwlwwv9gscl9z6k59z6pp8hcay7vehvqp6y5f85pjyd9seqe8s0q5dkmr4", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHa3lqenN2aDcxdVErQTFM\nTEs4YzV0SjkyM2pDUjBoZHBSVm1NWnl2MEZzClRjbm12dHUydkVpeWpDZGtVTDhv\nVUVobGM3dTJ0V0xnWEZOTWtFNldFZncKLS0tIDNGcU01MEdJSGFIR01HM2JuMXd0\nNkxldmdqN3lacFdvUWdUNGFobUZNWGsKokQ9bBFubI+9bTcYksHpM928mqSACv9F\nSu6z3fZlQg3HpPHDjaTUz8IZhCpwXc9hWZD7U60fYHnsT6vNIp50Hg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-05-14T16:07:14Z", + "mac": "ENC[AES256_GCM,data:+u38X/0P8Mj7KjkUpKBPD5lZJiniztcwpb5lAljqDQlmgNZgh3xVCGrYvA58s8fvBOCUSkUMDqyj0jCKSklJwf++OD7xbky7QVI3StlzDjDEprLR31CN8gmtWNFcECeTXer9gp0A0VcfY/JIFk2lN2gxZqqS+54jpec5WD9FfPc=,iv:mJOC5R7gNSpDj2zMW5qdVNfqjPT3I6pa5WW2u2T8eyE=,tag:wHzEz78zmR9JvNcHvawk6A==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519/users/moritz b/vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519/users/moritz new file mode 120000 index 0000000..1b45802 --- /dev/null +++ b/vars/per-machine/moritz-server/borg-mail-server/ssh.id_ed25519/users/moritz @@ -0,0 +1 @@ +../../../../../../sops/users/moritz \ No newline at end of file From da695ac9b17f5899f514de85f267aac92500938f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 18:25:57 +0200 Subject: [PATCH 6/7] Update vars via generator moritz-email-new for machine moritz-desktop --- .../password/machines/moritz-desktop | 1 + vars/shared/moritz-email-new/password/secret | 19 +++++++++++++++++++ .../moritz-email-new/password/users/moritz | 1 + 3 files changed, 21 insertions(+) create mode 120000 vars/shared/moritz-email-new/password/machines/moritz-desktop create mode 100644 vars/shared/moritz-email-new/password/secret create mode 120000 vars/shared/moritz-email-new/password/users/moritz diff --git a/vars/shared/moritz-email-new/password/machines/moritz-desktop b/vars/shared/moritz-email-new/password/machines/moritz-desktop new file mode 120000 index 0000000..fc84b2f --- /dev/null +++ b/vars/shared/moritz-email-new/password/machines/moritz-desktop @@ -0,0 +1 @@ +../../../../../sops/machines/moritz-desktop \ No newline at end of file diff --git a/vars/shared/moritz-email-new/password/secret b/vars/shared/moritz-email-new/password/secret new file mode 100644 index 0000000..8bf4f43 --- /dev/null +++ b/vars/shared/moritz-email-new/password/secret @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:IXktUisgMZF1FtVgeYGMw1hGmlen6aYRXebYDbzIvlk=,iv:tmfL9DNr39QGOIYbijyGY38Q/kbHrE5emMZlNXKLLnE=,tag:8J+E7Y+Agv6YyY8eStgbRw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age12jlzcjwwhtgws4ku4nemwknsps3a6um74kdpxfv9pzvgdlhufp8q08c0j7", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXTkJwTWVnRko1UGh5YVdV\naXdlSmljZkJBOUxGeGY4QStGNjlrQURpWmtzCmRiV3NpVCtleFJaYkNOOTZPajFF\nbFlaOUhTMDEveGVLTTRsdnZHWnBneWMKLS0tIHBBbEVuQzFUTG1pZGRnZ01hVUVR\nMHhhN0xITHRQdjdHTFBBeGdzYk1BKzQK8OScWI7g1Y12lwqY0H38d/6REtLXurIB\nT7YeF27RUxh5SojvY25x/lmTu7djueGxP0VH4wH4P11sRk7im10G5w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age13u2jaly7xxpehmh0r9573gzrh5ffcstfx7u7py57lrugm09nxqeqx5w265", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKYWtqakhoMzNXcmJ3bjQ2\nL3UxbHFQWGFWb1MxZURUWU1LbXJFaUFsU0VNCklYcE10aGZKazM3Znh1bXA0dVBM\naDc5UlQ3RytzY2FPTmNndWo1cmlReEEKLS0tIE5hVlFEVElJL2QrWmNkd3NOaWwv\nTTlNWVE2RzFlWmQzMVFDeEVCZFlJcHcKo2Xvh+YiW1hrFsjcgJstMj5BkAR0QbgI\nlswG2kNlwVixFwScqrHoQ4u+Uvzj7KOR+ZRtrCfq4X2D2pnI4oLh7w==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-05-14T16:25:57Z", + "mac": "ENC[AES256_GCM,data:lq9JZdR02UxcvkE5Pb5sD17bvfaYEpty3LYZpeIrHtHs5pvuvX5j+TfOnHqgPrvyYtmsyPVtQSXwUxjC0PaMNrW991WyMMA1+TnXvVDQ/VuVR6RD00wxY1BbnPGJr9EE09tkxaPXtRJUnEx6XC9RwbyrmcmZeOJxl2nBZ6v6JVs=,iv:MRWsgkCRyMzAQVQJJ5MGubpu+XpjsFRy15vLwbuIJv4=,tag:Jg95qmIgu/DrQZGksjt+xw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/vars/shared/moritz-email-new/password/users/moritz b/vars/shared/moritz-email-new/password/users/moritz new file mode 120000 index 0000000..ed9f9a8 --- /dev/null +++ b/vars/shared/moritz-email-new/password/users/moritz @@ -0,0 +1 @@ +../../../../../sops/users/moritz \ No newline at end of file From 90170ba821d3a1de5c7f5702c3bd30b9fcf86910 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Wed, 14 May 2025 18:46:23 +0200 Subject: [PATCH 7/7] feat: add borgbackup for mail --- machines/moritz-server/mail-server.nix | 36 ++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/machines/moritz-server/mail-server.nix b/machines/moritz-server/mail-server.nix index b8c7fb3..14d87cf 100644 --- a/machines/moritz-server/mail-server.nix +++ b/machines/moritz-server/mail-server.nix @@ -70,4 +70,40 @@ }; services.nginx.virtualHosts."webmail.moritz.foo".enableACME = false; services.nginx.virtualHosts."webmail.moritz.foo".useACMEHost = "any.moritz.foo"; + + services.borgbackup.jobs = { + mailDirectory = { + paths = config.mailserver.mailDirectory; + repo = "u461386-sub1@u461386.your-storagebox.de:mailDirectory"; + doInit = true; + encryption = { + mode = "repokey"; + passCommand = "cat ${config.clan.core.vars.generators.borg-mail-server.files.password.path}"; + }; + environment = {BORG_RSH = "ssh -i ${config.clan.core.vars.generators.borg-mail-server.files."ssh.id_ed25519".path} -p 23";}; + compression = "auto,zstd"; + startAt = "hourly"; + persistentTimer = true; + prune.keep = { + within = "1d"; # Keep all archives from the last day + daily = 7; + weekly = 3; + monthly = 3; + }; + }; + }; + + clan.core.vars.generators.borg-mail-server = { + prompts.password.persist = true; + + files."ssh.id_ed25519" = {}; + files."ssh.id_ed25519.pub".secret = false; + runtimeInputs = [ + pkgs.coreutils + pkgs.openssh + ]; + script = '' + ssh-keygen -t ed25519 -N "" -f "$out"/ssh.id_ed25519 + ''; + }; }