feat: init mailing

hosts/frikandel/default.nix

@@ -5,5 +5,7 @@
 
     ./networking.nix
     ./wireguard.nix
+    ./email.nix
+    ./website.nix
   ];
 }

hosts/frikandel/email.nix

@@ -0,0 +1,35 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  age.secrets."mail@b12f.io-password" = {
+    file = "${flake.self}/secrets/mail@b12f.io-password.age";
+    mode = "400";
+    owner = "maddy";
+  };
+
+  services.maddy = {
+    enable = true;
+    primaryDomain = "b12f.io";
+
+    ensureAccounts = [
+      "mail@b12f.io"
+    ];
+
+    ensureCredentials = {
+      # Do not use this in production. This will make passwords world-readable
+      # in the Nix store
+      "mail@b12f.io".passwordFile = "${pkgs.writeText "postmaster" "test"}";
+    };
+
+    tls = {
+      certificates = [
+        {
+          keyPath = "";
+          certPath = "";
+        }
+      ];
+    };
+  };
+}

hosts/frikandel/networking.nix

@@ -7,7 +7,12 @@
 }: {
   networking.hostName = "frikandel";
   networking.hostId = "44234773";
-  networking.nameservers = [ "9.9.9.9" ];
+  networking.nameservers = [
+    "193.110.81.0#dns0.eu"
+    "2a0f:fc80::#dns0.eu"
+    "185.253.5.0#dns0.eu"
+    "2a0f:fc81::#dns0.eu"
+  ];
 
   services.openssh.openFirewall = true;
 
@@ -25,4 +30,14 @@
     address = "fe80::1";
     interface = "enp1s0";
   };
+
+  # Caddy reverse proxy for local services like cups
+  services.caddy = {
+    globalConfig = ''
+      default_bind 128.140.109.213 2a01:4f8:c2c:b60::
+      # auto_https off
+      email acme@benjaminbaedorf.eu
+      # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
+    '';
+  };
 }

secrets/secrets.nix

@@ -68,4 +68,6 @@ in {
 
   "invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys;
   "invoiceplane-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
+
+  "mail@b12f.io-password.age".publicKeys = frikandelKeys ++ baseKeys;
 }