attempt mailserver?

2026-01-02 18:05:01 +01:00
parent 33814b565d
commit e665bb0b14
6 changed files with 200 additions and 1 deletions
--- a/machines/109-199-104-83/configuration.nix
+++ b/machines/109-199-104-83/configuration.nix
@@ -2,8 +2,86 @@
  config,
  modulesPath,
  machine,
+  pkgs,
  ...
 }: {
+  # mailserver config
+  mailserver = {
+    enable = true;
+    stateVersion = 3;
+    fqdn = "mail.galaxious.de";
+    domains = ["galaxious.de"];
+    x509.useACMEHost = config.mailserver.fqdn;
+    loginAccounts = {
+      "test@galaxious.de" = {
+        hashedPasswordFile = builtins.toString config.age.secrets.secret3.path;
+      };
+    };
+  };
+
+  # wildcard cert config
+  # systemctl start galaxious.de.service & journalctl -fu acme-galaxious.de.service
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "security@example.com";
+    certs."mail.galaxious.de" = {
+      domain = "mail.galaxious.de";
+      dnsProvider = "rfc2136";
+      environmentFile = "/var/lib/secrets/certs.secret";
+      dnsPropagationCheck = false;
+    };
+  };
+  services.bind = {
+    enable = true;
+    extraConfig = ''
+      include "/var/lib/secrets/dnskeys.conf";
+    '';
+    zones = [
+      rec {
+        name = "galaxious.de";
+        file = "/var/db/bind/${name}";
+        master = true;
+        extraConfig = "allow-update { key rfc2136key.galaxious.de; };";
+      }
+    ];
+  };
+  systemd.services.dns-rfc2136-conf = {
+    requiredBy = [
+      "acme-galaxious.de.service"
+      "bind.service"
+    ];
+    before = [
+      "acme-galaxious.de.service"
+      "bind.service"
+    ];
+    unitConfig = {
+      ConditionPathExists = "!/var/lib/secrets/dnskeys.conf";
+    };
+    serviceConfig = {
+      Type = "oneshot";
+      UMask = 77;
+    };
+    path = [pkgs.bind];
+    script = ''
+      mkdir -p /var/lib/secrets
+      chmod 755 /var/lib/secrets
+      tsig-keygen rfc2136key.galaxious.de > /var/lib/secrets/dnskeys.conf
+      chown named:root /var/lib/secrets/dnskeys.conf
+      chmod 400 /var/lib/secrets/dnskeys.conf
+
+      # extract secret value from the dnskeys.conf
+      while read x y; do if [ "$x" = "secret" ]; then secret="''${y:1:''${#y}-3}"; fi; done < /var/lib/secrets/dnskeys.conf
+
+      cat > /var/lib/secrets/certs.secret << EOF
+      RFC2136_NAMESERVER='127.0.0.1:53'
+      RFC2136_TSIG_ALGORITHM='hmac-sha256.'
+      RFC2136_TSIG_KEY='rfc2136key.galaxious.de'
+      RFC2136_TSIG_SECRET='$secret'
+      EOF
+      chmod 400 /var/lib/secrets/certs.secret
+    '';
+  };
+
  system.stateVersion = "25.11";
  nix.settings.experimental-features = ["flakes" "nix-command"];
  imports = [(modulesPath + "/profiles/qemu-guest.nix")];