From af233793fbcaf824f2b38b8580e5c364da1fd002 Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Wed, 22 May 2024 21:49:34 +0200 Subject: [PATCH 01/13] initial work on mail --- flake.lock | 104 ++++++++++++++++++++++ flake.nix | 7 ++ hosts/default.nix | 13 +++ hosts/metronom/backups.nix | 13 +++ hosts/metronom/configuration.nix | 34 +++++++ hosts/metronom/default.nix | 13 +++ hosts/metronom/hardware-configuration.nix | 48 ++++++++++ hosts/metronom/mail.nix | 26 ++++++ hosts/metronom/networking.nix | 19 ++++ hosts/metronom/wireguard.nix | 54 +++++++++++ lib/deploy.nix | 2 +- secrets/mail/hensoko.age | 44 +++++++++ secrets/metronom-wg-private-key.age | 43 +++++++++ secrets/secrets.nix | 7 ++ 14 files changed, 426 insertions(+), 1 deletion(-) create mode 100644 hosts/metronom/backups.nix create mode 100644 hosts/metronom/configuration.nix create mode 100644 hosts/metronom/default.nix create mode 100644 hosts/metronom/hardware-configuration.nix create mode 100644 hosts/metronom/mail.nix create mode 100644 hosts/metronom/networking.nix create mode 100644 hosts/metronom/wireguard.nix create mode 100644 secrets/mail/hensoko.age create mode 100644 secrets/metronom-wg-private-key.age diff --git a/flake.lock b/flake.lock index 592f3eed..9d18f91b 100644 --- a/flake.lock +++ b/flake.lock @@ -27,6 +27,22 @@ "type": "github" } }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", @@ -128,6 +144,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -328,6 +360,21 @@ "type": "github" } }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, "nixpkgs-lib": { "locked": { "lastModified": 1714640452, @@ -340,6 +387,21 @@ "url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1705856552, + "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -354,10 +416,37 @@ "nixos-flake": "nixos-flake", "nixpkgs": "nixpkgs", "nixpkgs-2205": "nixpkgs-2205", + "simple-nixos-mailserver": "simple-nixos-mailserver", "triton-vmtools": "triton-vmtools", "unstable": "unstable" } }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat_2", + "nixpkgs": "nixpkgs_2", + "nixpkgs-23_05": "nixpkgs-23_05", + "nixpkgs-23_11": [ + "nixpkgs" + ], + "utils": "utils_2" + }, + "locked": { + "lastModified": 1706219574, + "narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-23.11", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -475,6 +564,21 @@ "repo": "flake-utils", "type": "github" } + }, + "utils_2": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index f66a4b7e..a9e1e6d1 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,9 @@ element-stickers.url = "git+https://git.pub.solar/pub-solar/maunium-stickerpicker-nix?ref=main"; element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker"; element-stickers.inputs.nixpkgs.follows = "nixpkgs"; + + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; + simple-nixos-mailserver.inputs.nixpkgs-23_11.follows = "nixpkgs"; }; outputs = @@ -123,6 +126,10 @@ hostname = "10.7.6.2"; sshUser = username; }; + metronom = { + hostname = "49.13.236.167"; + sshUser = username; + }; tankstelle = { hostname = "80.244.242.5"; sshUser = username; diff --git a/hosts/default.nix b/hosts/default.nix index 429730cf..8ded7cc3 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -59,6 +59,19 @@ ]; }; + metronom = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./metronom + self.nixosModules.overlays + self.nixosModules.unlock-zfs-on-boot + self.nixosModules.core + + self.inputs.simple-nixos-mailserver.nixosModule + ]; + }; + tankstelle = self.nixos-flake.lib.mkLinuxSystem { imports = [ self.inputs.agenix.nixosModules.default diff --git a/hosts/metronom/backups.nix b/hosts/metronom/backups.nix new file mode 100644 index 00000000..c5bf79b8 --- /dev/null +++ b/hosts/metronom/backups.nix @@ -0,0 +1,13 @@ +{ flake, ... }: +{ + age.secrets."restic-repo-droppie" = { + file = "${flake.self}/secrets/restic-repo-droppie.age"; + mode = "400"; + owner = "root"; + }; + age.secrets."restic-repo-storagebox" = { + file = "${flake.self}/secrets/restic-repo-storagebox.age"; + mode = "400"; + owner = "root"; + }; +} diff --git a/hosts/metronom/configuration.nix b/hosts/metronom/configuration.nix new file mode 100644 index 00000000..a423d4e3 --- /dev/null +++ b/hosts/metronom/configuration.nix @@ -0,0 +1,34 @@ +{ + flake, + config, + pkgs, + ... +}: +{ + boot.loader.systemd-boot.enable = true; + boot.supportedFilesystems = [ "zfs" ]; + + boot.kernelParams = [ + "boot.shell_on_fail=1" + "ip=dhcp" + ]; + + boot.initrd.availableKernelModules = [ "igb" ]; + + # https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets + systemd.services.zfs-mount.enable = false; + + # Declarative SSH private key + #age.secrets."metronom-root-ssh-key" = { + # file = "${flake.self}/secrets/metronom-root-ssh-key.age"; + # path = "/root/.ssh/id_ed25519"; + # mode = "400"; + # owner = "root"; + #}; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/metronom/default.nix b/hosts/metronom/default.nix new file mode 100644 index 00000000..c6e90714 --- /dev/null +++ b/hosts/metronom/default.nix @@ -0,0 +1,13 @@ +{ flake, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./configuration.nix + + ./networking.nix + ./mail.nix + ./wireguard.nix + #./backups.nix + ]; +} diff --git a/hosts/metronom/hardware-configuration.nix b/hosts/metronom/hardware-configuration.nix new file mode 100644 index 00000000..f891016e --- /dev/null +++ b/hosts/metronom/hardware-configuration.nix @@ -0,0 +1,48 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "usbhid" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "root_pool/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2083-C68E"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/metronom/mail.nix b/hosts/metronom/mail.nix new file mode 100644 index 00000000..a68351ed --- /dev/null +++ b/hosts/metronom/mail.nix @@ -0,0 +1,26 @@ +{ config, flake, ... }: + +{ + age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age"; + + mailserver = { + enable = true; + fqdn = "metronom.pub.solar"; + domains = [ "pub.solar" ]; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt' + loginAccounts = { + "hensoko@pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-hensoko.path; + aliases = [ "postmaster@pub.solar" ]; + }; + }; + + # Use Let's Encrypt certificates. Note that this needs to set up a stripped + # down nginx and opens port 80. + certificateScheme = "acme-nginx"; + }; + security.acme.acceptTerms = true; + security.acme.defaults.email = "security@pub.solar"; +} diff --git a/hosts/metronom/networking.nix b/hosts/metronom/networking.nix new file mode 100644 index 00000000..8d57a051 --- /dev/null +++ b/hosts/metronom/networking.nix @@ -0,0 +1,19 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + + networking.hostName = "metronom"; + networking.domain = "pub.solar"; + networking.hostId = "00000002"; + + networking.enableIPv6 = true; + networking.useDHCP = false; + networking.interfaces."enp1s0".useDHCP = true; + + # TODO: ssh via wireguard only + services.openssh.openFirewall = true; +} diff --git a/hosts/metronom/wireguard.nix b/hosts/metronom/wireguard.nix new file mode 100644 index 00000000..ff736a01 --- /dev/null +++ b/hosts/metronom/wireguard.nix @@ -0,0 +1,54 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/metronom-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51820; + mtu = 1300; + ips = [ + "10.7.6.3/32" + "fd00:fae:fae:fae:fae:3::/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } + { + # nachtigall.pub.solar + endpoint = "138.201.80.102:51820"; + publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk="; + allowedIPs = [ + "10.7.6.1/32" + "fd00:fae:fae:fae:fae:1::/96" + ]; + } + ]; + }; + }; + + #services.openssh.listenAddresses = [ + # { + # addr = "10.7.6.3"; + # port = 22; + # } + # { + # addr = "[fd00:fae:fae:fae:fae:3::]"; + # port = 22; + # } + #]; +} diff --git a/lib/deploy.nix b/lib/deploy.nix index 7f49289f..0cdb0eb4 100644 --- a/lib/deploy.nix +++ b/lib/deploy.nix @@ -8,7 +8,7 @@ { lib, inputs }: let # https://github.com/serokell/deploy-rs#overall-usage - system = "x86_64-linux"; + system = "aarch64-linux"; pkgs = import inputs.nixpkgs { inherit system; }; deployPkgs = import inputs.nixpkgs { inherit system; diff --git a/secrets/mail/hensoko.age b/secrets/mail/hensoko.age new file mode 100644 index 00000000..7a613f11 --- /dev/null +++ b/secrets/mail/hensoko.age @@ -0,0 +1,44 @@ +age-encryption.org/v1 +-> ssh-ed25519 UE5Ceg F7J2BMCNuOUcZhcbEyXBbFHkOI4sVA0qXbRmCWYNBAE +Na/iuNS8cxz0qEiosflBEB9TAF87sQgwBbUl0/fhmZo +-> ssh-ed25519 uYcDNw Xd8D3eCNMcXrxlYef4kj1N4CD16b5Xs3pfA/J8RJQDk +UoBSRBj4wS1cxnDV37JjW5kBP2XWWo7seJJsU0y0cEA +-> ssh-rsa f5THog +OxPFa8NRWqy2ShVfYtxqZWfJAmgkYd2xg2E8vNCPoWafo/6hBob7C+4hDiKRZPZa +EVLw0wgTe/nlMzBLOO3FlgZ0Ceb/uA2n4nu7st6mjwYQpsmVXwZoap88B2b+GYCs +GG4sgybkZ/BrfFgm94TIcC1lr2lMjA6C4xhC9Mphf2iEQf1wjL4N1msOC4gTAW8Q +zaH+K+qNEbTXne5Pox9wp6FjApSx33ldqRxOSzcf7RUuL2ew/63fTywW8ZdHcUgm +usKqBZX9vyhLdsHzZWSXwetybMfKWs1ry5kU3ekf9EmAAkSiukFxFdr7PON3l+VV ++hNFxi7RBKGC2u+ZE2Oh/MdXkKHMIVuJE1yhUJyiirH9/Mj2S6gOpSL7pjXIQdbC +RoGoE4fHWtp14Yn5X2YQCeGYPS+y87md9qKlVTzf29u95UjVkN4V8xwquOssWp/P +qlBJscmU3cp+U3W4Gzh1k1IwdBQ7B26rUOFEwa2/DI8VsBd/x4WmLQGiIe0VnOIB +YCekxeLrl4AAf/XTEc/qNTaXcn3OguMMq6KzyeWMTdKsrcw7/P7j+06SbK+Co57D +7zt/h2dDeAEz1eo7yGLu/zd2s2iyEBNxnzvSqvRpYAkcNNI7DvNfdotDYWj0kbuW +rKfPKnXOUvf9tKsjbd1BRI563TpcoL3ebnokhBfu+v4 +-> ssh-rsa kFDS0A +k8vywS465lFJyN/RvPMx3OUSl3UG2phrlZ0QY9BL2Gqf79tiSqMrWFCKqeZ8Djg6 +yDNC8F62IwWSQB030iWQMhQfI3FM9BFepmMpVE3zviyg1WRTNgLl9vdpjLP4FuNi +Il5S3T49RmUgAzsPGMs0UWLhEudm9tJOU3tI3XD32tG7mYVrMcimtog8/1zasFf1 +GE3H3MyBiuawfSu0uMnQ267rxYiGF75bI8Er1nI7zIF55Lw7twHLjN+KOlSed3Vk +VU7tNeRKfbircTrfxXo0I6SVPuX21SfBP5RWq4KrO/h4chW36OLxza2eiRvy74lY +/MekrH3PgO0q7y+uqeSbiGAcvL1UXeZFFdItv5pKxMC95vpdsEhoywO8Rj6dd+9q +iQjmy5RS/HC6uDzbqAl0HQSq1fZXO3UO0fQg5Rv3whpKMBHVMTU/PVimP93oAu4J +rXnUUpqpKJqecVDYQT4XSuMDK5Iw+S+7RLxBk6hIYsg0jtywqgwD+zF1S8RHi9kK +BEX5mR3NC/B+LdHAzphYQkHuY6UOk5AcgMO5jYCLtVK4vqlvTJPVbTSgdO86rmdy +nZXZmi0Uqgz8QEdOgIp0ego8WdqGkZF0aQwMUw11Bi+78Asx5+hy+fUncw0qZndZ +04ayMacztVL0cEaQ1AeOf85z0MPOugcVYFvih/XkgjE +-> piv-p256 vRzPNw AyKY9szzF5MMfOBUISqtfu4EVk3GWOQ2WSqwgn8tCE9B +uoSrnNdzVP1WO3uZflc+Va6cT8y5AfUpm8P3njiSQzo +-> piv-p256 zqq/iw Atu7Vk8b6dyNLZcLFtnOkAlYxOMN033PV/bv8O77LORR +jbYx5/YXY6LwoFvOfXHHPhTiMOMLwgbENvFzFmGf6ak +-> ssh-ed25519 YFSOsg BCuhqDI2VVkG3gk927TjEOLLOQNeURfxVbGodW/Xh2c +lUEeZrF5FSC/e6XRxWNQq5B7oC70mKit56AIrWMTKCY +-> ssh-ed25519 iHV63A Job9bw0T6OJpmgeizCOyNGqA9YHrcbml8sj+9kadKVw +4+pfaDyrgXuj8DKQzMj04nk2KRfobvQ6Z+E7RDOUm24 +-> ssh-ed25519 BVsyTA 2cN+HWBYc7mSbSEziFpyuDfHs7cbVd5Vdfj7NYNJ6Uk +8+APjCiQmu9hoqffuqdJKk09wtk0Ywa3NqeURnP+n+M +-> ssh-ed25519 +3V2lQ h+MbnwkJqmQbk2gtkyWvU/8gqJHYIG90lUH3AMENonk +wXsXHxzIsP9kSsi3mxmr5oujWL0Grj7y5inECZNSuIk +--- hkrqXuu9Lldhr675cyYUX5peiFT2s5ZMjIrOi7oRIyw +( ssh-ed25519 UE5Ceg 1YUuuRDXFkGG2ZNYrRUro+Bx2GNGVTTCha+P9+T46DE +gTxW/j5xNSxjSq5wze7fhNJm1SB5/YEizO65jG4Q9Tw +-> ssh-ed25519 uYcDNw 7lGPy/ykR0Vnye8NYSBKcTRR2UzJ0lw2EXY6d/5gBjQ +SHbqjmcN4TNzFbQb3AgHgzzm8Yhr0LHSFQHXMLyTDVM +-> ssh-rsa f5THog +IKJVe3MhHIFyivBHwYuf+COke576b1h0ARtu44ycuLSS71C2kteigviIwstXz97M +GIHz9+aC0xJCa/gZ4WWZ5t5qO4XSmkIYCHPsV5UhjCEj6AAL27rP5oqXZKCTvPV6 +7bEw4dNJmVyjAGYP0h4M+HaAFwe8nlKO291lyJ3NoyZcMR+KjEFiBK22W0oEqvS6 +tvh3GgPp1iiHUvhF5uSUTxOqu30S7ogY1jtPLxQvEEJZwbXdCKZ/0BltfRGqKUWu +DKBcKERUeEa+fSYRtxZqd0GGGOi0Xq3UKjTSmt5w58cBkrntbQeRTNYfnvvqXJJ7 +a0uRylsK2vnMjLXjlZryvL3ug+Ylpup/BuIMwzwpNEjasCqQt97v066Ho0qB0uej +rwslyXSjwlOsvblf6UovUzQ3GIG17X9POOavsW6md7wxZFCNtioo+qb7fegKK5Tr +W/H5GoB7g79pCbBUCMJP6MgPpMUVGH+5jDkWAQbik4lTH9ehD4Wu9V2hnyBub6fW +CjEtrWzpwH+yHFkm7R5IjI8DWoE4CWsb8KI+GUgr2R3AjdNuXINbJy+ya+wpuMLh +d5Q5tQbteQ2uBKJxXRrR8nNiiLqtQvRYsyF5G+BdXmAqAB0cBuH8yMmjUKju5tH9 +lSmdqUScCcVY11T6Hccath065f8Jtvwj3nJE9f2iPfo +-> ssh-rsa kFDS0A +RVoy79ijvAmU9XlEsbmiOOWUfenL+hITb6tXELUGjZjYIg+JPDneg7m1plUnRpBM +sfLrTSzOLisWfct5rbXWb4QbNnD7biX0/uAPk8Jk3tmUfJsM1oLmNaRGGgo7RkFh +J28PG0n5+eumauoS0Yf11GIgWUpC8FeVJMrNM5r4yV65EJEyyjRxFHjIGl5Jh6Rq +bkJWpDsuFb2eb2BdZACV/M/aDYn+XGJW0oozNW91rryrQfsAHc3GzKoX2HtqNxua +3Z348+NTS7jCKKhEwwNwibgTSz1PT2ynyaXi2N60KZ8IDc1xwtn1Ybj2/S1no64h +P1GCjzKmwizgINoWQ8LYQ3nHxRXQjFdS4X63YUSXKcZ2TKMNydlB3IGL9N+xKflo +w5EMqFTuHInpyOfz73WDg2LKuzlWabjn8KIlx2bYG8Etn5alSX+oQGD5zTUkDt4p +/J3b8kLCdRSfVxwBudftXnk8CDg5gzM7LD0NOQ8/VK8lyTVE1dCCty1NUcM0o4mc +VgdlcJn9ISZSd3UAt6BDUHEMYdxktJnlPr8Gsw1iDU44Gu2fPUY2OpmAnIz6FshR +KkSThN08FL2EgEO99fbJ/8NiD+bml5duUNJQnjlQ8NC9w1S/4ADXpHSrJARQY0pn +DfTvCz2CJnPqojb2vDb0knqvhPNLu1lmtrlyqMygmLg +-> piv-p256 vRzPNw AlRMMj08FZgVJAcUdKDVtQzrrZWqOah1fq0xeLFOFYh/ +fySXnGSZYyKOX75bwaByIAqaiatXpFF4zsuE7JEH//c +-> piv-p256 zqq/iw A7dI4n0fDq3z6OG/iuU8z4euPvx77lJJC9OlZG/RMPRc +waoyEH8qBDeUmCugy7ZnMj6tgLx/1+slhJTAJ4uXMNQ +-> ssh-ed25519 YFSOsg 99jNRmoZlrfV1ytKu8Pj41vBTNHED3dG99mjWnYe9Ec +p+Q3Dik27t8LRb5Mr17EzVwxdSQIZBeO+ezJVvFqg00 +-> ssh-ed25519 iHV63A 1V4hJI/P7TkMWDbZb0NMdCSULS8XddPl6gGvc1gJ91I +CKzsgmbASOGWYRFSyYBvY90HrmLfQNKcrTPLvf5m0es +-> ssh-ed25519 BVsyTA tJu2Y42CtsqGMLf5VObT+nEMYHyujU2nmJQfWOTZsg8 +MGxxNMPHyRNRDVurqovUkptzqfsemX9mCLSLu0RL7b4 +-> ssh-ed25519 +3V2lQ vHPgK6xOUrH/1fqjkw2rhg10O0izPSTPX7b02v7J22A +A/V11elKo6YNiFHYMQrWBnUTsaz21MNH9jcY78dTlmU +--- QV+btlc1pzitb681enVVR/tT/kwE3s2sV1qB7yYJ/3Q +YDgIx,쵴˜!pt m"$aZT4'`ejKAգtWS&){i_S \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2f19b430..9d48d8f5 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,6 +3,7 @@ let nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall"; flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6"; + metronom-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLX6UvvrKALKL0xsNnytLPHryzZF5evUnxAgGokf14i root@metronom"; tankstelle-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdF6cJKPDiloWiDja1ZtqkXDdXOCHPs10HD+JMzgeU4 root@tankstelle"; adminKeys = builtins.foldl' ( @@ -14,6 +15,8 @@ let tankstelleKeys = [ tankstelle-host ]; flora6Keys = [ flora-6-host ]; + + metronomKeys = [ metronom-host ]; in { # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall @@ -22,6 +25,7 @@ in "nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; "tankstelle-wg-private-key.age".publicKeys = tankstelleKeys ++ adminKeys; "flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys; + "metronom-wg-private-key.age".publicKeys = metronomKeys ++ adminKeys; "mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys; "mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ adminKeys; @@ -72,4 +76,7 @@ in "obs-portal-env.age".publicKeys = nachtigallKeys ++ adminKeys; "obs-portal-database-env.age".publicKeys = nachtigallKeys ++ adminKeys; + + # mail + "mail/hensoko.age".publicKeys = metronomKeys ++ adminKeys; } From 3bcdd33b5a2d3eb03d5b5b527b407b8759078337 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Wed, 22 May 2024 22:51:30 +0200 Subject: [PATCH 02/13] deploy: use system from host configuration --- lib/deploy.nix | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/lib/deploy.nix b/lib/deploy.nix index 0cdb0eb4..27453bdb 100644 --- a/lib/deploy.nix +++ b/lib/deploy.nix @@ -7,21 +7,6 @@ { lib, inputs }: let - # https://github.com/serokell/deploy-rs#overall-usage - system = "aarch64-linux"; - pkgs = import inputs.nixpkgs { inherit system; }; - deployPkgs = import inputs.nixpkgs { - inherit system; - overlays = [ - inputs.deploy-rs.overlay - (self: super: { - deploy-rs = { - inherit (pkgs) deploy-rs; - lib = super.deploy-rs.lib; - }; - }) - ]; - }; getFqdn = c: let @@ -66,7 +51,21 @@ in */ lib.recursiveUpdate (lib.mapAttrs (_: c: { hostname = getFqdn c; - profiles.system = { + profiles.system = let + system = c.pkgs.system; + + # Unmodified nixpkgs + pkgs = import inputs.nixpkgs { inherit system; }; + + # nixpkgs with deploy-rs overlay but force the nixpkgs package + deployPkgs = import inputs.nixpkgs { + inherit system; + overlays = [ + inputs.deploy-rs.overlay # or deploy-rs.overlays.default + (self: super: { deploy-rs = { inherit (pkgs) deploy-rs; lib = super.deploy-rs.lib; }; }) + ]; + }; + in { user = "root"; path = deployPkgs.deploy-rs.lib.activate.nixos c; }; From 9635367c8251a6aa830fb75c9aabbd6dd7665e65 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 23 May 2024 11:50:28 +0200 Subject: [PATCH 03/13] dns: add metronom.pub.solar --- terraform/dns.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/dns.tf b/terraform/dns.tf index 4fd25b18..65b88228 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -9,6 +9,11 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "80.71.153.210" } + record { + hostname = "metronom" + type = "A" + address = "49.13.236.167" + } record { hostname = "auth" type = "CNAME" From b6f64a1e0434425da85c94d0763361831da9660b Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 25 May 2024 17:24:42 +0200 Subject: [PATCH 04/13] mail: add more @pub.solar mail accounts --- hosts/metronom/mail.nix | 51 +++++++++++++++++++++++++++++++++++-- secrets/mail/admins.age | 43 +++++++++++++++++++++++++++++++ secrets/mail/bot.age | 43 +++++++++++++++++++++++++++++++ secrets/mail/crew.age | 43 +++++++++++++++++++++++++++++++ secrets/mail/erpnext.age | 43 +++++++++++++++++++++++++++++++ secrets/mail/hakkonaut.age | Bin 0 -> 2463 bytes secrets/mail/teutat3s.age | Bin 0 -> 2463 bytes secrets/secrets.nix | 6 +++++ 8 files changed, 227 insertions(+), 2 deletions(-) create mode 100644 secrets/mail/admins.age create mode 100644 secrets/mail/bot.age create mode 100644 secrets/mail/crew.age create mode 100644 secrets/mail/erpnext.age create mode 100644 secrets/mail/hakkonaut.age create mode 100644 secrets/mail/teutat3s.age diff --git a/hosts/metronom/mail.nix b/hosts/metronom/mail.nix index a68351ed..db3a3b79 100644 --- a/hosts/metronom/mail.nix +++ b/hosts/metronom/mail.nix @@ -2,18 +2,65 @@ { age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age"; + age.secrets.mail-teutat3s.file = "${flake.self}/secrets/mail/teutat3s.age"; + age.secrets.mail-admins.file = "${flake.self}/secrets/mail/admins.age"; + age.secrets.mail-bot.file = "${flake.self}/secrets/mail/bot.age"; + age.secrets.mail-crew.file = "${flake.self}/secrets/mail/crew.age"; + age.secrets.mail-erpnext.file = "${flake.self}/secrets/mail/erpnext.age"; + age.secrets.mail-hakkonaut.file = "${flake.self}/secrets/mail/hakkonaut.age"; mailserver = { enable = true; fqdn = "metronom.pub.solar"; - domains = [ "pub.solar" ]; + domains = [ + "pub.solar" + "metronom.pub.solar" + ]; # A list of all login accounts. To create the password hashes, use # nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt' loginAccounts = { "hensoko@pub.solar" = { hashedPasswordFile = config.age.secrets.mail-hensoko.path; - aliases = [ "postmaster@pub.solar" ]; + quota = "2G"; + }; + "teutat3s@metronom.pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-teutat3s.path; + quota = "2G"; + }; + "admins@pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-admins.path; + quota = "2G"; + aliases = [ + "abuse@pub.solar" + "alerts@pub.solar" + "forgejo@pub.solar" + "keycloak@pub.solar" + "mastodon-notifications@pub.solar" + "matrix@pub.solar" + "postmaster@pub.solar" + "nextcloud@pub.solar" + "no-reply@pub.solar" + "security@pub.solar" + ]; + }; + "bot@pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-bot.path; + quota = "2G"; + aliases = [ "hackernews-bot@pub.solar" ]; + }; + "crew@pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-crew.path; + quota = "2G"; + aliases = [ "moderation@pub.solar" ]; + }; + "erpnext@pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-erpnext.path; + quota = "2G"; + }; + "hakkonaut@pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-hakkonaut.path; + quota = "2G"; }; }; diff --git a/secrets/mail/admins.age b/secrets/mail/admins.age new file mode 100644 index 00000000..bf44f8b8 --- /dev/null +++ b/secrets/mail/admins.age @@ -0,0 +1,43 @@ +age-encryption.org/v1 +-> ssh-ed25519 UE5Ceg 6rewUSyj9mZOZp1Oi+DvWxj7u6r7HWUAnp/zSDLmZyA +OLBPwlUCqlVZqrZaqT/sfzslgcYRViuTt9yzJZRPIPI +-> ssh-ed25519 uYcDNw JNpKkljIQIPKR/KNG9AF/DxbJjYoMeQdhOjmpig2Q3c +bxu5hEvJi0ip74WUJNJhm6pAfdvVlFBbyCwQKYPkUXo +-> ssh-rsa f5THog +0Im1QWg1IHp5nYfo0OK908ohS+Mo0Jyyyimq3sc6q5WoDUzufaMVYfgVpHJxasO/ +SrVAwE6QLcHuTBZPeyr1HZ7chyQiWT+Lepp/MXhgS8nDOkgJaSNxY35PO6W/qtpE +rxkgdNZdB2Orqq0wHo0is5+pfZdcD7n6O4VoiayUh6kv5Brk98BUCHrydXMfJv26 +0Kzwg3s+/kDwOeVOt7uy6n5VPhcSLiJgQlK4t0HkPB2rUoD8dfyVqUZV3YmgCoJM +Km1lCxaS96xKGnvt0HklYy0OX5S7ActBGpQJjcNLTl7sb2M/U0XAF7O8teSKzdq4 +ejKOnzMdxFB+qOSZ3fGzHbjxNDwxPqyps0yhm72rT5tww3wOzYZXUebn7LwNKVwU +99mA0CR9W3wg3Thv4nwmsrycTMFHh9jvGRXOYgIqXNDoo2oqqkzLnS+N2fx6Wush +SNziOeZkgb25h0wrehxmqsEOVjlSE6C59E40XlmSj+MJf6siDLQGpLShE4Fz1tyx +GXASxlTNcJ8TY0N4UmozdWRW8pyTOtl1MhiuaHdYLQGvd3Zlwkr9C7pV6eVBxPyF +agSqbSZXprY5owp17fUc7HQUu5AcNJyQtDstwqOTPbaJFNfPnyaHU61jt52sk468 +W2d1hZ9SYxiN32rjYV6py2SiuOvHIWMz3ODkvhxQdAM +-> ssh-rsa kFDS0A +TRrrVhtSIhhR9OXVAEwfmVn44a/LIaYJZWndqPAcAEhQp1Z3kPpolkxtKskz982G +wQgSbzU3py4VRpXdy/FBttoEdBrhRMKG0z9N0szKlagfLA+DHQjTlaMn/UkxmO2S +4AdwO8jEJVe26h6Y/3ne7N+/Ji8QKO6tKeNVapBKHYsJ8qqscgYW1WgKOAfJ3M6c +6lyavfn2prTkM0xz6hMrywm1Is9ahM4vh39iLRAaVonFHmNJE+dAse8ijvKzjcYM +KAiZtabdJkWwjD/3x513fU/o9DQCnBTHfM8KLb7DTPC9Ro1K//O7LjcG+WiaERSh +0+dBZstMD7fQWEyJ/CgnRf54juZs2A7yBdrT9TcQtcgPKYk9QjFqHCmKB0R+TUaX +nNh4h33i5V/8JfPRQTLz/YYFdG+kG5Hvucs9I2HN1n/vaHL9UIH3zC8BmkUd5fnR +cnKXPjFCfrPPKg4DMT4gT5lIVtIBRx/IKxvjgR/8c8M9M3jk4SZSYHUlKtnzFOLq +ycGJopWX7kBWGliEQ8jC+nKYOXpSYH+mbHOV54zplmNOZKMdLJ9ek23WoX5/BD7i +arp4EtwYiD2LN3M1TG24gFW9VCY3Ofil6HAn5ySM9AMtIHwy/8srUBSCtdpWWGx+ +0fk+wGVu/5lCn51RPXl1L2YRloyx3giKvappuUcpho4 +-> piv-p256 vRzPNw AjkP6Dy1dEQ58LVB01S/1stB6JMpl+q3EuqHQp6RCfH9 +cePnQF/DS9AJx0MJArNi/5b6tncv46lKpu/1SIb5X7Y +-> piv-p256 zqq/iw A7cNqXWWA3Zd4vccwwW/Wgfq5cCOjnIPq/Et0qpeQUMw +p/e2OBgHoHA06WR4h3k1GK65u3qYH2YGPYQ10jz+pvQ +-> ssh-ed25519 YFSOsg +Tl7z0DL81uPhdBuEJG+9qnZ6eoAzyZfvJ5FtrtyRUE +nfVzlc5NoSxHv+2tM3D444kH9fCjUEYD+7wE2h83qYk +-> ssh-ed25519 iHV63A FgYN6w2aRUPpBBp6lV8pqSyopRaWwzhkGXxncU83HVc +PcNQ0P2ZGCnumKWuHVo0wwF3KCz13JadNkAHWgqIfbc +-> ssh-ed25519 BVsyTA X/VL2A5AlbG1m6uTqbYDJTJj0wVrYGx5w/geJTpgQR4 +zwlsYTehOA3oK92zFN2J+HhgaX1zYd3MP0vQ3W751Co +-> ssh-ed25519 +3V2lQ Hk8tcLh85helo+DXrRDhCHkDja+sEkM1CTz01s0SXDQ +ftNhb63/JDulFgTukVu76XG2Dfcorbdt47EV6kqXw9g +--- 37wAuChTQKbjj/RCIh7ZRB2GOf2kT1we3D4bQKevM3A +(=ž>jIMyA|ʯN萄f1Dg5 ߈g6#>%UjX@G*N\JE \ No newline at end of file diff --git a/secrets/mail/bot.age b/secrets/mail/bot.age new file mode 100644 index 00000000..d7ce33eb --- /dev/null +++ b/secrets/mail/bot.age @@ -0,0 +1,43 @@ +age-encryption.org/v1 +-> ssh-ed25519 UE5Ceg iKhPkRjtE/7UadHCdLoQR0/fe1LhVF9wSp5DQUw0hV8 +o8BmKJxLYcxml+hq7l57nWQ8xAQFrROcX/BDCpZW7YE +-> ssh-ed25519 uYcDNw It3n9bvJCC+H+r5VRrtjrga1S1TkhiHUTGL/ltQbk0c +h/98devoPCP18pYqK7KcXaDspMzQMtvs5YxsoyodDes +-> ssh-rsa f5THog +xVi9l7vg34PJaGhjOzOtPtoRMePzlvdYKjNnzCXLd0g6Y4JXQZMoKCeeWrO++rtY +7/PDxJ0kJjJAEY7q2BnfV+87nmrGxFFerldDcEO9pP8/sN/u393WQpngb0tMNx6M +cjhwv0Y9ygAb858G1NzvnALVZGmbUxX1JIsq8QDcoP3kz5JmonIKLM3b4LrO735I +bfu3T+wTRebOHdC9SOhz6iuhyTnu/RmU9w22AKK/IL19z+11NJB2Xoejkfw0c6ZU +cW25i3TdwmiJAZ+lCDJQyBXtLctDes1/e6HtOkXoJSKQA5QLfEtPeCMyBmE4y0pR +z1DPiP0wMd37YR8dMXoYDRfo3EvsDJkNR0SDTZj86kio9e2sXA3OtIx8BLM0y01F +0Vnh0FwpY9kclflboeY9w3Uq33/TCvy9aZ29XD+X7HGdqqiqxeo5rcAMXO9xAx3h +2fIwdVyWYTnLt8TDOH9ZKDw8vausEITQM/D73AbVlLRKDnXTd+YTkYBgzU1rJtR0 +4FQK4PL2qkWYKEK7qDTp+Hrhc4vOnxURaLsdexTub/A/TXHhGAKPxpGBOcBbCjc5 +4mHSRQsDTbTNNE7bcDbkBiUcXAdlPgvEhfLmmBw8sho45M+krSeSd7V5CJ1NENhJ +3SO92RqIuyGR48lmvsuN5js4uLS4ntoyQvnmIQIVSQI +-> ssh-rsa kFDS0A +EsW7RlBeeV69UwczFANtxqmz2Et2jpUL378UuMydlzRznbp/TJjrzCStMTOBEDyC +SuADuvcvLf1WsVbf+rxRuFgte0YMiqUNlijN7tsOFg92odk8tHVwXEA71SW8/ZWh +zFqUJ8pPFXPA6DEYMGmdNLV+tEx3YsUFCrTvhRIBGPCFbuYJj9Ta2xg0KK3uR5/l +xziM5xxc7NtJGpW3dA/qFyneuY6gPm17PWav2l7gjAge/6FvLFzfev9TuF82iPgc +RkCNgHZqClWLRO9b0af8FMGWIak6kr/mqao40net2azrFqMxmeQFLIKJSxa6Agz+ +UtlOND1COQwHrogQkHVuanBRRdUZzGk4QdW8MN49JPkvwvVPGS2XZrkE5m4k66Nu +rfMtlcoSGSA+GIZXTDiDPLpfpYV/XDe4IoPTpLcivRNb8i75GwCT/5vD39Qmlyyc +GHOX+v5JXh8WYpgvTEPDYE/oeKnsq27QT1wt8q0hKuHcRO4BcdPuiaSMnn0kjvLd +o473b6cHE96F3cTKhXerLqeMFs1+DsJhrxYCmRikZot6Iz8H5GnqT82Me1by6cYt ++GDcuVLIB0OzWfI9ibZB0ueMM8UfrLeGDq8hSF5M0rDCbFc6ZzQw8PgI97PNaDGg +FdIMho7IXEQKXMV7ueZ2/PiQEA8vfBWRnxGKFRQLOTY +-> piv-p256 vRzPNw AjWew9VSba/AQKQ69l/4OhvZUT/bawt7AOSe4/LjanOI +wHkZs8QQAOE69dq0d/2PAMgsi3xDBqEEvEFB7WKMC1Q +-> piv-p256 zqq/iw AkKV76ktPNKCS/KidRxBHdRQmtH3BNO2kbBz408ZJ+wu +S8KdsoVZUgvW7E4mlVFpp7/wxBarAPTEBqsYoBXar+M +-> ssh-ed25519 YFSOsg SQt87e1+Lza1kqQl+AyqOu47+en8H2AbjCasMjDLfRE +vBO3eKJPzagd9NdPmVG1SvO3x9rnf4H/8oddfCwpjLY +-> ssh-ed25519 iHV63A a1iFLv3FlMcfq6p8+dKlFB9cDPC8RFVc9DxtpNIXU3c +eQW7PJ+eGgp2loZTMUf40D8V3LNAinBSXgxdlHEQq34 +-> ssh-ed25519 BVsyTA KNSZgJezH8bUbpFOWiyBN9kPL6EvG/L7Yh9ZRGUJkzg +Fb4oMWqk3OfdKFkLd8qq2wGvq9Fz1D4A9HmA5a412r8 +-> ssh-ed25519 +3V2lQ z3vxaJYUXcqI6f6U85Oj0u6cqyarKTLidDHsURqaTh0 +HNC+nhMbrJOUUS5SAcqJDDjwhjvRxOibo7Xx911cyOg +--- 6hftMRn4kD/f/ixMq2T+VnXZwyfpcV7zxZ7PBAAcsDM +5lk9ˡzRөרMFM.}D%Xlu]7"\(}-.25>06 h'^jK/5 \ No newline at end of file diff --git a/secrets/mail/crew.age b/secrets/mail/crew.age new file mode 100644 index 00000000..d4965862 --- /dev/null +++ b/secrets/mail/crew.age @@ -0,0 +1,43 @@ +age-encryption.org/v1 +-> ssh-ed25519 UE5Ceg qBHHVskxlk6AOCGIusKKItMQVrJpjpyWXBfcmpx6Bn8 +RDGWdLn/D8h+dKixRk39zrMFuoaqjdbnUX+CiRq+TSA +-> ssh-ed25519 uYcDNw K4nqUOfxtA3GDpg32ndobWATCQBN2ylzD3wyLlnT2nQ +hRPPtWcxI/paVmOHT3J5SS7Ov8+gvXDAqtceJFn7o+s +-> ssh-rsa f5THog +n+B7fmdbS+uwPFyHhBCNAAuCsGh6nzA3Q1ttF7vtadi2yw6P940XKB9hXnCe1btz +NBRvKkVtIzRqc/5xDTqbDJivIYzFu8StofWv4xRBFzpA3P9r1qQV1lHwxOCfrsdd +296KHvqWVo4rdhkbd9Cye7cxndr2AWs0Gwn1uNvM1WQjTzUWzuKy6UsVztEcsB0J +4avT6+S+yxpKkMIyLqlbis/VYe/CDpPJGnxeG2GN8POVQpSdyBCEL32qkj07wR17 +9rZFWU5WKfIr0XXJkhq+ewNdJzQKfWDFEhHrZYrg8LxKYsOWhydRBVEHkWVXnLin +CSD1Cv4VNHnqCycJ1Dv2Lq2n7SHoGMLPyC1UPJudmpY1Z5XIvWOu5uxvv0674mdN +WxOXgZpitwpgcmMC6K4mBZtqI8yqMP1Gijupoj4hFK7YGqKdn6+Q6ZFsttL97I00 +lU22H1kf/Rxh0ZxMPiT1JcTwAZdOHIuRG6xPhVIx1hNUOmdUpg3YZa8dMKeA3Yjz +7YL7ZaYkwsIhMh6w+3xWUiYNkWfmGffRq0DfXIzTkKzapQtQJGLOpeot4wPkW51q +fHoJ2MNvlB3Yo5AveAkIaJpofjFFZgy9XVPGH2XSAFRez3hixXkV2rWiM+GJAAnQ +z45H8qWfGnRKSjgqEKVPDlfFEiG78Dtzjtl4oW1gfbY +-> ssh-rsa kFDS0A +bZc7lDzI0kG/lY1reQtVjggoWfLj9/zz+BxmbZfisxsEE18AkYGsk/Ki9ddXFxDW +5EIbCHheFBvkq7eb5OKcTUf3AFTch2/8dY1hnmR6uPq1Zwgl4ATCpcQPY85+7bPb +GBl0msNpRHuo6um895rL4omdv+DItmMdp3Lyf+CcFRvaXOpRnFmOqgatZ1bMePx4 +qJajnToar4YIEJBzc53oGWdAHfcmVrvEdOIUNoS3QoyCmusCkMNrSfqmvPfwqsWt +g+pTrI3NqmTt3+L0EawcRLjRYb/qM/L9/nSFOnYOv3hLzWOhwSQU/gr1ZKMxYnaI +GxqWzWg2dvkuHlRKVwwf8mNBrZlqQDV/ydOeyjJUKe48jM/PsIj8NVsqRhkgHrkH +/lvQClYEBhrgHc9Wdxzy4KM3DPyKCQSYxBPnZpFVzuFBKML/cnYU84i7r4Gkb/z4 +Jxwy6jxRzjt+Sou6gTP9dIASaYfMKYnf4ijB3IZLNApkNMBd0qt5qptTCG0LylDX +eTGGWjKQrC11znI/PWkSJQsKuBDHesL+QmjgJBhPdpl7Tk9ZaI/rJk2KYAjF6J9V +add0KsLxAZbqlFo1CJO8HHysCRljXob0jYefmnDXO2x8xZvt3eSzVa8JsNLcMv5w +4/tAdHBfH4mifA5mVdVbeRUDby54TdfIWGAZtyhgvYg +-> piv-p256 vRzPNw A/0edIuqR6hf5WE2qoSGqX18sbslgSxxgmDOc6wNqfQD +GT94xHQpPOdNorZOaSi7EPdaqSSVjJNB2qaSYA6qZhY +-> piv-p256 zqq/iw A5bQxOBbSgsr6+TL8bgNWl287IF8Zvec6k9oAZPgIRt2 +z0ygD5ZRl3WZjfVA3Aku70mKddTZZ/W9rX2XOBJ9cco +-> ssh-ed25519 YFSOsg R487ufjbfae0x3wSAYH9d4Yz0dW/ze3wXxQI/DCFuWw +klWo+lmfAMaZVo/gDz07/ht+szuA7YSpvDc0yEe0bgo +-> ssh-ed25519 iHV63A Ond1kPLFFFIC/lSpv6K1uobvXYFmw+yVwNUTN1HIUVw +ElzaC1ho8F2X2jRZtmAdY9FUMiCs5XAEcFqEPTy6Ilc +-> ssh-ed25519 BVsyTA F9U4uSI1sNELggtM7/VwlYOlg+ghBg0xAQLux5Fmvw8 +4PY2p7QneYIuumlciTmEbR/DwBKVMXxsfRoSuSgfmR4 +-> ssh-ed25519 +3V2lQ 6i+WKf5wToBT5vne7ACy51BTAZrzMHCyiQ4D65m5Ol0 +/kt6I4forttfn8SbZ/9K2mvZRh4Cbj+JqmlZ746Pqqw +--- ufN6THtH8xQ83XVERTJFwO8Ti0AJyflJwZtA8V2mba4 +g[& ໹|jG#JbƤTc@E}>mcD*M,( ϔ6Cꂥkǒ=f Q \ No newline at end of file diff --git a/secrets/mail/erpnext.age b/secrets/mail/erpnext.age new file mode 100644 index 00000000..14d1467d --- /dev/null +++ b/secrets/mail/erpnext.age @@ -0,0 +1,43 @@ +age-encryption.org/v1 +-> ssh-ed25519 UE5Ceg I6uUuN8666FFZt7t0Z/EyWpTALPQKjGT8BBtjrJL8Ro +4Cy7GJ3RQqmrDpYocWTx31MV8yg5QKUCEfMjAaBunnU +-> ssh-ed25519 uYcDNw x+wqWbE6v2rzDZ8oDP8a/80yMBn5LI+aqBsUO7QktHU +1s7d1LfdY7bhXi6PJMi67RfxPDF8UWcLpS5cQzuiPvg +-> ssh-rsa f5THog +JQDnaZPrI5bw7OSCOo2d+C/4KsXOa7Dt0140G3/Snv7j/DPxkz+hC+jxLlt/GIY5 +Py6bV/wqeS9HRUlReB9Lr+5Q89yOZhxqQI08zYnpmn6Ipr+ALNWy2jHKTBDHHPJ7 +LSuv46ppPRDnZoy6NEUIlaIQ5EOXAGGVGi6nhS/R5I/fJIF4yk7B7MKur5Mhj731 +Np7pb2yAfAZGxqleYO5I1jTLIGcBIDpmCricg8W057cdXFG9DG3P4Wvi+Q9bvSH8 +cQwhCscUsxwZN4uVUvIAeavo06JqqOio4N3XJAwzY3syPfKhQ0xdAIMiOhl0TYYc +eVy7llsbtFd7PSu0FTFfWyuqOZNOmDoKghns3H7HCUeFcp0II1+LS0v6QKAJCEIR +CVtkNbfM8SxFioGaUTwSfxWIy9+usSX8oHYp0SYKYjBCoukq/N01yZIxVVrXgROK +FjEbyHCyIwnJ/UsrWh3TldwsDSKWbFogO66m9K0d0wJEq26UcVADQi2GLt1YCXgS +klNjHAdX1oodhr2p0ZURxngYaWuwMgEOjsMtxyA4M+4nbXfF1ds/uj7i7Btn3R6b +AzlOo+tVKg1iHFGMn5AUTOV7DtltaMxeWM24l3W9v677aozu7BDZQK5VwSSjyywF +Vq5p0Rsdif1Vywg0+AUxsPyTy4YqTvXRfQviEU/k9Qg +-> ssh-rsa kFDS0A +IVW5AyRKdS2zzPPZLt0qLS5aqb4+C+tFgHfD0mVtrYadn9ugn11+Wk+HKdDko43z +0rLdqE9q+Hyg3jCVk7DbnsL7lzfLKt6JQVfdCN2qihHLofPqqGgjC9pp8C48EjP/ +ND/S1nrSTq8A9jF2/oja+ofcQCKGZKGC3u8E3UUdC2rmDrQF1CRZ6bW6kUxbEh7n +fogXy8BP4WX3/LxJxRwaUSQuYMrnA/SvCbQP50Z235xgr6v2+Hfm4KxmgBpy9YV1 +BCuuS0Rgkkipa4SkDg4BdEyWcbTu4JaXTZPJ/6UKdNS9wEGkIaCIENkGIkl7ViTk +DDHjbGKMQD7nOv42Y9bQJwwcAEW3gN+g7kgD22GW9cpZEFTcGESX1tkYclZiZOIs +IC63gYk0o5fEuLsCYoE0Jld0D9Ja7JYbVH/ukzJ99rWgcLLKgkC5pEosPa0kex1y +L2+YDmSKtqSY3YjTFv8q4DVTBKeoWjNHkNaDl5IInhzbJ3k4zZAvJ5av02ws5aM9 +i7WYk+tARjK/Bsl4pEOq5UwdAlQBuAOWUMhjLjR7BN5tWtA/wrz0LfCctTjpwxSE +vuIUIeJENpjIv88OAWVqR2SYqyTyLnHO0YpreWfF0nj1GTGY//XdwA/kqekhj8dZ +U70iXnquIhqzuwkMSC2cq1WL78pmh8kkmDbIgk8y1tw +-> piv-p256 vRzPNw AiRbeKSGWFJXI93xQ2+yh+CwJKIl6w9XFvaf1QMo8lSN +XjzQLjfA9e88kyGeBlLWqhYGSkcFhbEp2G0mthdYRyU +-> piv-p256 zqq/iw Ay5OxlqOR1CuTnrkdN0DbZXU0X3XbwKjj138AO3+GEGh +UqBjfcB5Xj829ZgvWk5eJk/5kXNE1oXBxOIo46SEqz0 +-> ssh-ed25519 YFSOsg g11+RyINzDuZtkWMDhq03pXFK/sI0rrvu1nRgt2lTi0 +KwhWvcS4dGb6usaNScrRUFtzaAbIHYNziY+E5tq/QBQ +-> ssh-ed25519 iHV63A 18otcJyCfFTil0bJHQzHbnS1MktjeryOSI1OZXypki4 +vq7Og0UJmDgclm/MRFw77uGOiOatgPRhlTeEH7kjuS8 +-> ssh-ed25519 BVsyTA ISv3vLZ8DHSiiNrRIFPB7YZqcMKkecuG4U7OPAj7hU8 +8ANZ3bmxLZT+i0QCRQ2I/KgcKsdv0YBLX5FoGSw+M6M +-> ssh-ed25519 +3V2lQ qNtNUsgkHIHXGEIjzjPuF3xKLOfeSCeMrNrIdkpjmxU +OyS0yUzVdtpG+A+OvKVyX8vl7dUKysIosb5b+1qdH/Q +--- ptU7IkkyEOB/9kxpGyi6TS/nx4zIrRnvtCqGiZi0NII +8TxvJ)&kܲM&.N`S8|µw|2me/, @3}p.oŵ>Gvz/ \ No newline at end of file diff --git a/secrets/mail/hakkonaut.age b/secrets/mail/hakkonaut.age new file mode 100644 index 0000000000000000000000000000000000000000..983cbcb007700573cf2f6a67d7e4b69c737fdf40 GIT binary patch literal 2463 zcmZXVyUWFP8OO!yl7dilaeEhah_6Y`NpcbeB`3F&lbl>nu85G^$^Cwh;38P{4-kYp z6&0yn{0nr`rGpeiaP3e;Cx=ox_$pMSoqxmU_dGn`@5fK#=eQ30tsS$b{zlU$(2M}j z-+mf~^f`_W7>1BfCX3N=@}$XBj<5aJ^(ejv(=`<{Uz5p&6A`y`SBZ@|nn#dpbEbg8 zYlAGF{Mt?m;O6Bimu>#wEYsO%w*p^Lb zKA%r*em~8CV~5AcIo?&8cCd%Op>)Q^XXWPRV3$9(B5$1*%3)zTY>Hdg2O8PvKbS^;KaBq_LR`7HuO zsvMp|tuN~RbXL45qlx+!)mky-B3Vc@1ZUII)OnjzWWkhYP9?jLaJ@FaU3#2N0P{9_ zy?Jc%>bmN9%h+Q;N?u=*jZrmzZ(aO4>!eW5u|{Hj4(meOc~E?bH&uKlbPO<1Ibnk1 zy*jy9I0+$@uSHU6r3Y;Gb&(ESg*t;c z+pF1-LE>A8G~60it&S3syGVg@F$;$Of5!#K7%&BxDM~Wxq|J9*+EgcYuWfNadQjl? zJE1woU5RhI62+2$kQ2!(E6qjUygz`&(3X`$$c3dB%W8pW`gFi zS!OwvRRrcCx-&MoozIlV+U`v}D^t2>tYcLpF59J=*jk_H(a`RF3bxzj+QWae6Zn_4B8wYX`O zD!N$t-X3G3aB`7>9|GTL`s3;V9)Yaog@EQr=??*Cwmj0Sk4|LK44i}AK^CaBPS43c!(I!aP6d1nHJ`)d79KBE)~JM2H^|O9x>2E zagsZa`%&3W0uTGTo3FqbJJY?H`^KE!vAZWs()pepS$w$NU`a&hJqIC*R`?MUkPEhI z*aH&|G%vk0V2zR700c=VD~;u#_4*)S0zT*MehYRH)a_Wy8zcxV;u4pu!a!+ruk+=E z@8exS%?c%Oojn3zJ~+}LrL~~BVs0WuSarX`Hp8Tq)i$9SRmu_D^)Tn@ha(r~F291N z%jCFu^8;SD0o_ogF`srkDRR~ti$g9Hc9PBIt=;gtCt|&0@_7f#O#9Crx7qyM9x(iA z)_3)#`YDupaF2FBU}UA1p$#tu{}2Luoms;*Su)H+(xNDY>qi41>p0|Amb5qB&vJq% zWudTWwKjqNuV&O;X33V%D9RkmVTD_vH$sQO3YUE?Jr5y#TGOnI3 z1a-KGmlv9A#wIzPbz`5!{lRQa5YWkVy>8BVMimR~rlAn_K)%7Bob7B4+nsvaWxhOn zFTy7u4JbkniUG~Abn7B@T6Oa~>&knH*-s2z08&RI550gyk>^~?=#4at7xclNeg59X zg&9gKti={|Ek3nL@Ms-M?aAxmXj{pW(+DQ0mK<$67IrbHO@lHbu=;9TK$mblCr5$) ztaDm@_^UL4)<9FYB<&B^G=`Zj7{_h|DmHd+W?!UhJHGTQ> z7k~A+58r_C;^)79^DD2u`6_z(nfHP9k8i#EdFK1)FTDTyXFhuSo%et7%lBR@wRc{7 fi+bgsAN=U;-~9B)pZ%ft+pqua2Y(2+*T45~;8Zm# literal 0 HcmV?d00001 diff --git a/secrets/mail/teutat3s.age b/secrets/mail/teutat3s.age new file mode 100644 index 0000000000000000000000000000000000000000..816665bc1f8a78872ed1e11d87ca22c6b4e24a87 GIT binary patch literal 2463 zcmZXWIq3Wd6~_e|4I(yzg~-oJm-sjLg&^dbT$5yGa>qiGOzvcoOzvo*xT3I?%65W< zjcjElXr+x{A==p4*om#Jia(15-ECj0qLYosFzxgy&m#Ro%&u_p8ZHeW-RU-wT82L*X?CXnJ3T z#Dn9~6t6-XWmX^^CL2XAdgzJ$6iGK4Yi$bB5z1cilE+r&N z8B2M#h-gFy7R=WsHE`1Ra=?b-Ad_vICpJX)j}hmM3nfIOHW-CPKg6q}Pn(3Gx2}Gl z_8g;^jIiY{2X6IgTB1PhDkBBC)*ZMT={t?{yq>5)W5LF)+S}OHD8FzZ#GEl4guOB_ zg6x#H2&n+Ia_5|(yoJQQ$IRf8YPFh5S2N@D5QPGJb@C$VvMBt(m?@D$(Ax)GQ|WvQ?<=Z}IoIZeZ7pmN#nsIO8DJp!Pt;^(E| zb(K6YsLW<1bdR_kbNph>2)-Po*|&HoNsgZtev%w2R-TOU(OUwUMF$R~B(hNBDqr@g zDusQ-_K|*M4k#9L*-TN#QaNdQuICrRG-mtxu@W?iPK+|g6uOlaut#;HG<~M%Dp7Y3 z#KT@{Yn0iFO)05RW~R1#Y6pcb3P>?l(`E0$@^oqd60#=eSoLf3k`4B2DCFz? z)-e=b$#XrXTpBPH7&UGS*pX45%&>4F^K62qjJW2b({Y%L8~P%_GTASZD+QY0b21DQ z=OLG(?kU%t>6HXi`M}K^RyKwE&Zs%*q+vr}!aMld&Y)IS)(2GWT}q;z&_v?(t$?ST zXUoD);+c)MQ%VB~t+{*O!&~G^D~&h@FU*{Vg6TRvRh#D;c>&!x;D+v0+JXjMz2KN& zMN8P|w1PVaj8^Jyo`FseS;4Q=AV7-1c0Nm*h=ntAuI5)yKe@qvKMqaaUPXAFSw%!u zY3X4-_yEWG*J*QF9fWWeyIX1rZvtxei*X9E>T-zPm<^ay;Z%k&bSqR!e242&igk6n zVGRbzG2zUvMcEl4cR}qUl;%A|*zw43d5Y)L}_ zu&v_`W}A?iTuwu1p9fx{2=2-#SHXwO42JpQ>NjBlcJKT7{tXRImO17x(tWdV>Mlz= zHIO^E@x6!{4?~Fq5?mOqFK8BRWJuN89KhA7U1=`Xt%SLWL&GgH%H|6?*qzNUin`Na zLf&x^a>ozSO4%hb_T?sNJ_Y*p2%>_BIa(a>o6CE z^1(OOP_B@s4KBkW)&koOV0OYxjZ`1yRTV6$M+#UFmb<`)4m}x~t?j|oB@ek)KJ*`e zn2R>o7jbXPaq(F>i%{0rz=$m)NE@0C(Y)e*pdg|UHiFhilK`aoI2(p{S9X(Xhe4k7 zP49i3syw~7(l#J!-4S%JOztr7=FOWIBrm~B(WbQ|pK=l!pH{Bxw$UwTuaTBH6Z;@S z#Kl;MkpKt$k{@xEi^SM8M^bg Date: Sat, 25 May 2024 17:25:07 +0200 Subject: [PATCH 05/13] dns: add test mail records for metronom.pub.solar DKIM, DMARC, SPF, MX --- terraform/dns.tf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/terraform/dns.tf b/terraform/dns.tf index 65b88228..72e65f9f 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -182,6 +182,27 @@ resource "namecheap_domain_records" "pub-solar" { address = "list.pub.solar." mx_pref = "0" } + record { + hostname = "metronom" + type = "TXT" + address = "v=spf1 a:metronom.pub.solar ?all" + } + record { + hostname = "mail._domainkey.metronom" + type = "TXT" + address = "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpFkI+IqTwyUIo5LqYVPMXlkTJe7trcE+ln6vjLFcoXBZaXfFVRJThMtfEZLkJ84ndEHadszFdSZs8eLRVCt/h7x9+GaOPIdKI9lbOn+AepwxhE3z/VrKKfO0CFyLsA6+XY7ebiF1aYctalY+r8Jtt8LuXh0Fj6+4YAFkvNxJEnQIDAQAB" + } + record { + hostname = "_dmarc.metronom" + type = "TXT" + address = "v=DMARC1; p=reject;" + } + record { + hostname = "metronom" + type = "MX" + address = "metronom.pub.solar." + mx_pref = "0" + } record { hostname = "nachtigall" type = "A" From a3f7afd7a011bab5510ce73a025d8e12de8fab96 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 25 May 2024 17:25:45 +0200 Subject: [PATCH 06/13] docs: add metronom to deploy docs, style: format --- docs/deploying.md | 15 +++++++++++++-- lib/deploy.nix | 37 ++++++++++++++++++++++--------------- 2 files changed, 35 insertions(+), 17 deletions(-) diff --git a/docs/deploying.md b/docs/deploying.md index 20af975d..976d0751 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -10,13 +10,19 @@ Then, run `deploy-rs` with the hostname of the server you want to deploy: For nachtigall.pub.solar: ``` -deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false +deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false --keep-result --result-path ./results ``` For flora-6.pub.solar: ``` -deploy --targets '.#flora-6' --magic-rollback false --auto-rollback false +deploy --targets '.#flora-6' --magic-rollback false --auto-rollback false --keep-result --result-path ./results +``` + +For metronom.pub.solar (aarch64-linux): + +``` +deploy --targets '.#metronom' --magic-rollback false --auto-rollback false --keep-result --result-path ./results --remote-build ``` Usually we skip all rollback functionality, but if you want to deploy a change @@ -28,6 +34,11 @@ deployment, add the flag `--skip-checks` at the end of the command. `--dry-activate` can be used to only put all files in place without switching, to enable switching to the new config quickly at a later moment. +We use `--keep-result --result-path ./results` to keep the last `result` +symlink of each `deploy` from being garbage collected. That way, we keep builds +cached in the Nix store. This is optional and both flags can be removed if disk +space is a scarce resource on your machine. + You'll need to have SSH Access to the boxes to be able to run `deploy`. ### Getting SSH access diff --git a/lib/deploy.nix b/lib/deploy.nix index 27453bdb..f94c83ee 100644 --- a/lib/deploy.nix +++ b/lib/deploy.nix @@ -51,23 +51,30 @@ in */ lib.recursiveUpdate (lib.mapAttrs (_: c: { hostname = getFqdn c; - profiles.system = let - system = c.pkgs.system; + profiles.system = + let + system = c.pkgs.system; - # Unmodified nixpkgs - pkgs = import inputs.nixpkgs { inherit system; }; + # Unmodified nixpkgs + pkgs = import inputs.nixpkgs { inherit system; }; - # nixpkgs with deploy-rs overlay but force the nixpkgs package - deployPkgs = import inputs.nixpkgs { - inherit system; - overlays = [ - inputs.deploy-rs.overlay # or deploy-rs.overlays.default - (self: super: { deploy-rs = { inherit (pkgs) deploy-rs; lib = super.deploy-rs.lib; }; }) - ]; + # nixpkgs with deploy-rs overlay but force the nixpkgs package + deployPkgs = import inputs.nixpkgs { + inherit system; + overlays = [ + inputs.deploy-rs.overlay # or deploy-rs.overlays.default + (self: super: { + deploy-rs = { + inherit (pkgs) deploy-rs; + lib = super.deploy-rs.lib; + }; + }) + ]; + }; + in + { + user = "root"; + path = deployPkgs.deploy-rs.lib.activate.nixos c; }; - in { - user = "root"; - path = deployPkgs.deploy-rs.lib.activate.nixos c; - }; }) systemConfigurations) extraConfig; } From 1ca1168d7a82ed79186efb8c2305f52f80df7695 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 27 May 2024 17:51:02 +0200 Subject: [PATCH 07/13] mail: switch to mail.pub.solar --- hosts/metronom/mail.nix | 5 ++--- hosts/metronom/networking.nix | 4 ++++ terraform/dns.tf | 35 ++++++++++++----------------------- 3 files changed, 18 insertions(+), 26 deletions(-) diff --git a/hosts/metronom/mail.nix b/hosts/metronom/mail.nix index db3a3b79..d1379e95 100644 --- a/hosts/metronom/mail.nix +++ b/hosts/metronom/mail.nix @@ -11,10 +11,9 @@ mailserver = { enable = true; - fqdn = "metronom.pub.solar"; + fqdn = "mail.pub.solar"; domains = [ "pub.solar" - "metronom.pub.solar" ]; # A list of all login accounts. To create the password hashes, use @@ -24,7 +23,7 @@ hashedPasswordFile = config.age.secrets.mail-hensoko.path; quota = "2G"; }; - "teutat3s@metronom.pub.solar" = { + "teutat3s@pub.solar" = { hashedPasswordFile = config.age.secrets.mail-teutat3s.path; quota = "2G"; }; diff --git a/hosts/metronom/networking.nix b/hosts/metronom/networking.nix index 8d57a051..0aedad54 100644 --- a/hosts/metronom/networking.nix +++ b/hosts/metronom/networking.nix @@ -7,6 +7,10 @@ { networking.hostName = "metronom"; + networking.extraHosts = '' + 127.0.0.2 mail.pub.solar mail + ::1 mail.pub.solar mail + ''; networking.domain = "pub.solar"; networking.hostId = "00000002"; diff --git a/terraform/dns.tf b/terraform/dns.tf index 72e65f9f..cf8adf8f 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -14,6 +14,11 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "49.13.236.167" } + record { + hostname = "mail" + type = "A" + address = "49.13.236.167" + } record { hostname = "auth" type = "CNAME" @@ -148,7 +153,7 @@ resource "namecheap_domain_records" "pub-solar" { record { hostname = "@" type = "TXT" - address = "v=spf1 include:spf.greenbaum.zone a:list.pub.solar ~all" + address = "v=spf1 a:mail.pub.solar a:list.pub.solar ~all" } record { hostname = "list" @@ -165,6 +170,11 @@ resource "namecheap_domain_records" "pub-solar" { type = "TXT" address = "v=DMARC1; p=reject;" } + record { + hostname = "mail._domainkey" + type = "TXT" + address = "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI333HhjmVmDYc5hYTtmB6o9KYb782xw+ewH1eQlpFcCMyJ1giYFeGKviNki9uSm52tk34zUIthsqJMRlz2WsKGgk4oq3MRtgPtogxbh1ipJlynXejPU5WVetjjMnwr6AtV1DP1Sv4n5Vz0EV8cTi3tRZdgYpG6hlriiHXbrvlIwIDAQAB" + } record { hostname = "modoboa._domainkey" type = "TXT" @@ -173,7 +183,7 @@ resource "namecheap_domain_records" "pub-solar" { record { hostname = "@" type = "MX" - address = "mail.greenbaum.zone." + address = "mail.pub.solar." mx_pref = "0" } record { @@ -182,27 +192,6 @@ resource "namecheap_domain_records" "pub-solar" { address = "list.pub.solar." mx_pref = "0" } - record { - hostname = "metronom" - type = "TXT" - address = "v=spf1 a:metronom.pub.solar ?all" - } - record { - hostname = "mail._domainkey.metronom" - type = "TXT" - address = "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpFkI+IqTwyUIo5LqYVPMXlkTJe7trcE+ln6vjLFcoXBZaXfFVRJThMtfEZLkJ84ndEHadszFdSZs8eLRVCt/h7x9+GaOPIdKI9lbOn+AepwxhE3z/VrKKfO0CFyLsA6+XY7ebiF1aYctalY+r8Jtt8LuXh0Fj6+4YAFkvNxJEnQIDAQAB" - } - record { - hostname = "_dmarc.metronom" - type = "TXT" - address = "v=DMARC1; p=reject;" - } - record { - hostname = "metronom" - type = "MX" - address = "metronom.pub.solar." - mx_pref = "0" - } record { hostname = "nachtigall" type = "A" From 9d8026a31a4c1a8dcb5384056dda171172cbb823 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 27 May 2024 17:51:32 +0200 Subject: [PATCH 08/13] mail(treewide): update mail.greenbaum.zone -> mail.pub.solar --- modules/forgejo/default.nix | 2 +- modules/grafana/default.nix | 2 +- modules/mastodon/default.nix | 2 +- modules/nextcloud/default.nix | 2 +- modules/prometheus/default.nix | 2 +- secrets/matrix-synapse-secret-config.yaml.age | Bin 4191 -> 4186 bytes 6 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix index 5c6d44bc..26f79795 100644 --- a/modules/forgejo/default.nix +++ b/modules/forgejo/default.nix @@ -94,7 +94,7 @@ mailer = { ENABLED = true; PROTOCOL = "smtps"; - SMTP_ADDR = "mail.greenbaum.zone"; + SMTP_ADDR = "mail.pub.solar"; SMTP_PORT = 465; FROM = ''"pub.solar git server" ''; USER = "admins@pub.solar"; diff --git a/modules/grafana/default.nix b/modules/grafana/default.nix index 1080a1da..b62789e6 100644 --- a/modules/grafana/default.nix +++ b/modules/grafana/default.nix @@ -59,7 +59,7 @@ }; smtp = { enabled = true; - host = "mail.greenbaum.zone:465"; + host = "mail.pub.solar:465"; user = "admins@pub.solar"; password = "\$__file{${config.age.secrets.grafana-smtp-password.path}}"; from_address = "no-reply@pub.solar"; diff --git a/modules/mastodon/default.nix b/modules/mastodon/default.nix index 3a12353d..85210e07 100644 --- a/modules/mastodon/default.nix +++ b/modules/mastodon/default.nix @@ -60,7 +60,7 @@ vapidPublicKeyFile = "/run/agenix/mastodon-vapid-public-key"; smtp = { createLocally = false; - host = "mail.greenbaum.zone"; + host = "mail.pub.solar"; port = 587; authenticate = true; user = "admins@pub.solar"; diff --git a/modules/nextcloud/default.nix b/modules/nextcloud/default.nix index 00101c49..22003c8b 100644 --- a/modules/nextcloud/default.nix +++ b/modules/nextcloud/default.nix @@ -63,7 +63,7 @@ mail_smtpname = "admins@pub.solar"; mail_smtpsecure = "tls"; mail_smtpauth = 1; - mail_smtphost = "mail.greenbaum.zone"; + mail_smtphost = "mail.pub.solar"; mail_smtpport = "587"; # This is to allow connections to collabora and keycloak, among other services diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index f77081a8..b8ce54f9 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -129,7 +129,7 @@ send_resolved = true; to = "admins@pub.solar"; from = "alerts@pub.solar"; - smarthost = "mail.greenbaum.zone:465"; + smarthost = "mail.pub.solar:465"; auth_username = "admins@pub.solar"; auth_password = "$SMTP_AUTH_PASSWORD"; require_tls = false; diff --git a/secrets/matrix-synapse-secret-config.yaml.age b/secrets/matrix-synapse-secret-config.yaml.age index dc28ea83cd49c25af4ca10bbf951d05aeeeaffad..84f1952c7ec61456edca0b000fb35881399a2bc8 100644 GIT binary patch literal 4186 zcmZ9OhnEut*N52!UUmb#l%)#DB1j9%v}7`aD5Oo2NuQZa3W!YFq)ytTQZ4i%Ac9f_ z1i=>&aY11LML}tThoVvh1XMaM3&*C~UZR2lgTf2N0|lFc z#%*agjpRTpDHMVf6VN-N#xPRM+AIuLQ2tFzXSnL1oY5zEi2#ADyyOG*D#58S#64+G zKIJLEx_ri|<03gL8TaY|o04{V6dJ7)C!-~QAQ@HUA`KZsP< zCY(MJwn;OVv>}@yjP`(!G8l3eABWiVJQGEyjVyZ)CmYtx#66@0BeIO8ZsBPpcDtAW{h%~omxzS zz(~{!Sd1wukxYfStS*lT5k8noq$sGs5F}orvXHZ>ivVajaj6_r5ilM$Sh9A;6(Wd|CaTe8h=@&w&~h&kiQ|aF#mDnL z8Ysp{igHU>P7AXRm{hq`io6R+hLTQM)0lBD9HWc6rWGzgVZ!ET3yRGD-{UBup+TjD zq@=-QG~v%-pjW`m(UdN%5dkwVXjFpeW>BM*$O<@}bx@@^;E39SMp3O)VJS1<*J-_B zLK5TxMkIrzFsYD|>5X}BNkDu`yIOFwGA81QF>oZ~h9efeH?A%~3ea3o`)y`N5qE}j z*%%X$I1E6cps=M2b^}`UBB=}>LJKTL>xxl(CXfI@Q6p&Ol&2I;7v!AJ=fgaDG3gd* zd4eeMT0#Pb5iOZ?I@1N5G3OYs5y@%vaVa8;A%r?@4@6-Dl1=dnjVjEmgoHk;^Batr zD3(si(@mA^5<^B2PSFaBIp@;hW)!lBF)WmhD10u;7GO!*sA9E15~9h1EbY(0NC1m?3zQ$ygt88dlRDKLRx&H3 zGE{G{MclGz49Xd@F$vE{V-}BJWK~>5kfSO%?q#&43|sUoK!XDnB8q|+RwQV^uJ>6% zTOtI9!e$@njwf`S!Vl*pC>9GS&@eAWf}*v6J5&&lM8lNmN1Mi{aXZ39hC%d@jP^-Q zSXN8x97ayibD$RwWI}GC$tKpKC!GsAV@V?I(CB?`oCcji6`CRKR) zqF5xDoV5TGDs57hkz!VjfU0wrf`r%8&OpusCr%T3q3@2v*XqU{$my zfH1r@_J2N3hI2JZSdLcbsFJNo{mQt>?X??on7I%nR6##u)Tb~NWDMgbG;U8qs2S8d zT(GP}+KUoCrnFjMyS~W?o`fx7bh|>Sv_D4qBe_tl1Xz>4Jf=`3Be2i?znS?jtCUIs z;U-p2ofjP}Zw@1j(PfCIc?(B5LZs1*u&fU9QQn+^5Znd95!XscO;(=7GE6>0vHf0f= zIc&x_eMyF7N>Mmw(dm3L18a~tG^!$=O=>w*6%Ar!(XF;Bfk4cmwRtT-iW1{)gIuBa zl>83a-!}N07S^*UqO4Aes6DJyD+!v=*c@^PYsf@EoK(3Z;dp=w=1Pi4laV5LEZvsm+Wo9WB^osU>(o}4w$SA8JCTA)XL?>BL zu~s-r1ijV-8ewcef)OJ&BS>g@MsLc-fhJeM0I6^m-HeTuIYa@ETM;*|bj$V5kXfNZ zJt~JmWN@Pll>5#9q)8DLj@hdr*Z?KnIWZ>>0<4tv8zTln&0~7GVDk&gxQ-D`B|Oj5 z6p@jbU62Ch0D?5h;FPiC$-$@rRHG)Rn$X||W89xv=B{mU?ifGHAN4l2z#KUm9m)R$Kvnv>sK~^-q-o__(!Ry)-mmF!5cQd z`ennphS`}u!BwkwsoK-?hkQ}I^Z3oBDcpU;t zsr{u(iHg|nFKT`}fO>S%A&cJG_FMF!_FVe~7okI+elkVseNKrjDxFWS^)w7mJ{|Q2 zaDaOXwVL$N!XJ-r+a)~Ai_2bI;5?Y=F{$gFVTy*UOR5%`hgiD35u0{rcJlc&DJ#6E;r|}j;+YeJzElsw0oA}pcNA9WY>p2#a*tS{(J|z z>$!8!?)&BK8r>(|W^~w&Twc=Gx-T?){h816=X&k0fHRI>seQnVtLxI5$Ii7kq#KFa z*4Y7P8md0~y=wZ}YvZ4NQqyz!tlF1$w%r$*@FeNj%C$SQhnCKtcB1xNhve zdUNTI@UoK@tnImBqc1PW5mV5wPq+U1;`#pQpUv?TeJT$9XJmfO<;`#)a%@|lmYe3B zQvdSqm@nHtJkq)LJW*=BV%^wVJ!bsW>QbW9u+53r?ydT63CSKxzupEu9a;R|yei8e z^CQ<)L)Xr=9^t#opWvx+IwI6CY5vx>bEd11yFhCHpPgo62)1NhS=aenk718aqi`l8K9Q@$agFSQ0W38&4fBt@DM8(T3Ep>&R z>h)d5OdGR--LL8MN2`rj=vNt~Bt9)PVc~6};;r+eC-=WnmR~u0)|12gHqLrTq^(bj1ntTW7KrHI@Am8?V-!0#9GMz&C7PioVZp_WxG)pz~+`-X~Wb?6#os z`sNMyZho7y)2FfV$rJ8RtH!Sx_e6K*`ij1Xk9;2ycfNd#xgdXblD2wFzr@6{Sk+-k z=-MFvUDutz7Ot80d0(UDVrA>$uI#Br_Z8R+?|94LVN=e%HS7u8x&O1~7ahv>rn0`x zJM0Hrj$;2azN=~(HgW$^;u+;g1)`^K!u#Gqe)^^1-t6_4S5Zph!K1Bf8t-h{TQ@Ef zs5xpY|7xadjl|Jz0NK5K{H*tTzukS$ndG3SleJ%;Xujs`lN()oe=l69J6qZ2;QXH} zq1#u+JuGL0Gkw-3+}*R1dB^_hsn%>CwSH%Zw^jqt-1LG&y*v5qPks2thMO;?mN_5F zwNCqkoG&5IM;4m^20 zz4NC=-}2SAP94A9vQfWa!sK1ELybxAii}?~_~DWcLn?tS6?>07(`(wio7b3TH|ftB zB0v04w@4Q~_`rLSg0_9z_AW4M@cqT>Uuv^*;Hhucj96LMa%`5Eu3viN&W-vmlhVEW z^#dxz^vRjyyEY#@S9vse`i1a?7I?$O8ISI7@K_g~ys%=&+NWsW4ZDGDuRNLZsJ`mA zZYwtaI>GyPy`$aBH%!m3RDIj*qt$)q={H?Dr8BpCtr4m`vZ2F^kL$F7KP1N8um0X= z7GtV=ty9~OP`mD%50fKr{;{d>1l0HJIdJs5Lu~&pH_Ux)+1_Jk8bb@{KG?LWZMIxr zvJ>`5mWBIkhUE|E_-b|aIGtj)=xO+}|$68(V z`S(7KwYJaS)A5k#&1oifU3Bms+HrsV*K>NdTz2#?*9uMNL$h0&MvSryo>I4YZQ0Nt zX3n`X^~C1m!@LiM);qel{i1x-a_il%vKRV60ey=Ru2prbKfoHx@1=Uox*6#*<>PmU zZP8fk4>#MkoeNDKvi;(yiN|O5{dmyMMFeimCng46NMNxtV5b z)#XRnoAZNkFU^*;Qhw@`9IaGeA;*!jy4&qA6OzKQBlQJ^_fk~T`NhX<;Ndg`z3(}hu z5fNEo1-%}DLkE#2ML<}Z6oExx6%l3GLvM%sgZH`j+`r)SeBbw57&cT9N(O{tDjVgK zgL#3K(8@6iX}P5 zkB4!S#qO}_ygEq+kmgI?oL38BA}=QGLb{ZQ8^bA8Je)0-ib1Q_z=mR0Un;@>CoM+@ zjF?zP`Am6hDZ>~1Noz912f?sHmQsYnxToYy%e59)MCaEazHlMxkwhXWpk$*-D?ueh zmk)-KcqALbGa(=B$dH9Jlg(yqa)pNvvwzWq3{w_Xxy?K)F&grC2oL8_CIy&LZ^`4Q zL4!1h%2*U8Eb6E~N$|dKQby#_C>@ZcozAFFk@V@p8M_FOGEm}(B%&%WV**huL3o&g zhL5{KX3Xd^(1onk?JD^NyTRes>r^%{iDNRm*`~=mMO-6N3em+UB?@oCMBx!z(r(kJ ziymAlvdVxR5fkcQ(w;~I@u*cr+LFG20^%HbzNEyYqBp6xS`&g#nx`>In9kc+dm4q@ z0F=qe5?Uh%nhQn;TEJpy1%O43oZvSUh?or`)K;4(Cr69HRGgzZyH;+evJxmDph|*g zoE}K-#zNkNnX-d|hlNldnUscORHzU@I5KJAjZ`TUVKsCn#}(yaJeGH}La`vxC2(6z z?Mot=fU=l$CUf2}lu={8Qc)o#m3BQE;Ajeva)yi`!+dJSD#Xlcsm_#*LH>Y(bxB}j z0E3Hq29`Rav4jj3Wb%R{j~Jn>6mhAt9$1X23qETyBN%-SWhkxUXt}`a;{_Gvhx2S! zl8Cuvw7=vs76U@gZT2t>q)hAGj66gccqkOHSy(k~kw%=c7^HW4^Sl<|FrVET^F=LA zI;fTy6v2WG<0y;VSK>8FfC)(Xj0!Q*ytx#n857BdWhDdRBpK3)cu+)}HiU8ssZGOb0~Rh+FeC%YP}Bqao?j)Oi+HuT!Y=}rQUG9CG9n8I z2}Z#ER_dwQWuNKV@#fecvDV6i0M=TLJTD4NoUH3>#3 z*dZ|?aYZcQOsQf?!NuX}C~ee$(V(}KEGiMJLc_^GDJ5$B8IzGw<~>Qjszl}jX_F3< zXK*MEN&pHYJOrqXS%MneTcB)sk#@w`gg%K_RDPS*A0k;MVF{qD)dn~mIvgoMq|?o- zaTm!#QBWdPgLDRQ+OnXX7j0IQ6P_m{luFaAn$%b!FC~H^kt)O?!l84ax^xIMd2u15 zCQN>zn1cWblqv$&Y#{0lg;9rsOPNVkSb-=RwKgSJ8UVy8hFLy~2Q|D*V8j@KW!Nak z#M4$ZiSQuKN&I?2pU#oSR3xp3^+?znmT?-NGRtaZU^bfuJvi)^s>PBgq`_n^uM))> zqk*SDpA5i4P+FAO47|+33Vc`>6BtL3)Oh_CM61?eb`|5Yhct!+uSa}txf`%x;gHmX z_`EXEo?|jfM_Ir#THx!V;s+80gD(ICFoF+^f%4NuB-8P=$)Dg7_ z2yjNTD{av-P|}%jBB+zcwOWY)SW&w&ElWjZT+tGB1cN5BNJx!1qj89wRF)QUBq_31 zNT&Dev?eQ3j2fk!G-5$Cq|<}Yl9-vpa9+?5shIou<6;G+QfZC`%`__r9OrTn&Maj| zEf|@J|F@4*(R@V;RH@7IM9KNQ`gMX7a~ISGs>tUP#<;`B>cjx&K-E~pQSht7q*f0S zU`~wKIkzP3En4Ieg_4k3J#J2~iTi1S0aM;o$qllRLWar$NKUGBXfxvfVU^NpS@bz8 zOJiP>Q|-}*d95r3X5DBgT?EZ>b=J)pV234>QHY6XHi}D25-SzaWQ7U3soX}Kuz3xG<8B=T~|oHJW#mlZ{LT*{{HFiAmDzZ;jE zN?y^A(T>c2YLhCwAcvPx8db5N6*#wt7Tt&gC{bQzOeRIm3SQ0|36a-j5UtI{A}}rC zX+0Ql8)T7aF%y9NfK3DnDbPw{uAC=j!YVj^rA9g4!Z>b zR+Iq0&V^vvh&RP}Fq9^W0n96<%|?$Xx!P}b=hNr=PJXFloAFoI+OAe1GrA4xFWs=> zyA^#tefIDId3W96x@SY54jXaHzv{`!PdasfWk1$x$(Zy-P+k72eZ{uMe#bAr=%UO~-d6-X1ih7K+;hxc7yxIvKtiwW*`D;>9~YrsKcP zj@Y|Tb@Kk5+miAJr!VerckuVyHWM+fd+>sx* zVzX-Px8d!BT0AqA*Q~9BrN@qHs~S2=G*1@oZJs|hy0Tca+UB1*sp`9~XW|nUR{pc+ zu9o?gx6-M%b{2mAxXtwLPm0EQlVlG*X!rmhjO;wVQPb+p#l2tm&D*=K+n>8k6WjD{ z-1~LQCOhZLZ(VAAef5ai+<;qCg4>^db@%$0w`MJqjw+lE4sYAoH&C&JZc}<0p3ts^ z`~HbywG&o1{9>y&d&Vywe`I<5Y5#KjkgwJbKla|(rz^g{Xs;i2b$#&S(JhUio&CI3 zrKAVBq!*YNvt{cH&(4#JPb02&v(~Nq?8%uCSK56(v&}wmZEi=~5ncP=IMCs?dB%zX zV=k7uoL;_cRpr*EE#@~L?fkjBusrbX2iM#B8y+7%(bYnAi7fb})k7~bdfEERvL*LV zJ8CD?$2ZMbbgIv)ft71_&O80=HZeC-e{w*0_YeI#|Iy)0%Zjn``Tg$OrfhHAJTtKn zpZ;{w>%m8=n^64o{KFbn z*wgIX_tShcrk4JuTGQkuMA-e^s~?Q}bnb!G8}E-kxug2`+RI~y9y&ac`R(T8%?-Z} zzw;Se4fGM_9$7Y7vGe=!w;dn-0X$lH{HMLxY~{YX_iD(}jDoDJ$C`yNovP{`9j@zy z)sDNfqgH;Yax;v-{_sGP6N5VnduH`1^=Y$vWc|Qzr=L^3cKhL3eC-S8!MZC;+xLI_ z;~$sSU9CM_xqjHhb_?Ffw1&IFM`V-HzK9yxv2#Ov9C8kUb`+KnUtf5jxV7@t zD|hEC=gty844u~f-7)jVe>mTxGaNq<82Qt{$8%PO8T-9=iZu#*3wnaT z)cA8<=U=fiy?;D^%pSeIyU8KU_w(`NP2`@U{N#*_5!zaZhv0hd3s{LrMX7lYp zWz{jM9qc;z7Idp|$mKt`zSU5EYy;lwab7a~!SGc-6P7ETS3cg`(D?O1@b};3WUD#f z{ny3ds%7tZy4SDIpZdi=W}Rd@a;p9NC*P{-yY&N_b2RdF91r!wpH6XQp3Z@=fh{>k@JWb^sdCB?Jz7dF+6qtEeAnnKZsg@26) z2Ec(Q%J!Sy%@1Dr@}6JPju*Au?e9N3)nel-$loK^hJSU^S3W8>@3c-Xot!@)9NKuO z%Y*kLCsS(R=1Rpkn~eQ_|4`QM=-ij)zp%z|tdFg6Iu^7x>Dce!*~zo!6<^Dz30cF= zMb{VP+Rufjjk7&2md2I3&e~)c)^dlmVPo?fQ{V2; zb>D_f&EGwEd;ZR~eaotveynJqZd{Ak$_tOW-P&?=K(7s|EBV5%&3_#Kq0uy8-tg?O zQOlnVgC{Yy17?ric%x?8=)!1j$9I3W@3cvF{wT>kUU&Mp%}ZQuYGMz%zkG36kLq4} zNN{C4fG5JM-;Wc9%MY7HDr@TDL31@N$2lg(pVaWVn)64$UZAb-|0o;r`O&eX_nq3H z&QU#^uJ zF=$oyDYN(YOdOd!e)dpd){qgvjR{q^Tjl9b%C9^fVjS4Kch|LxhAw75-LYglTJhR% zpT2i_-piIWzyBKlaYz4ScP9v}98hT6%W0r%m1RyBq)UOwROyHePHS-#+{Z z(Y0(FyJO@lBd)JBzupGyQV*;4*BRDTm+yU_+j6aLp`>=dzo2*uP&c8vY1a-;+dK&z z-g?vr_d0g3t-^H|udVsVx+xtStKSWsOmrzXf7EHgAFsE4;JQ4ecpIJ7?S(l)_nTtP do${vd& Date: Mon, 27 May 2024 18:05:30 +0200 Subject: [PATCH 09/13] style: treefmt --- hosts/metronom/mail.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/hosts/metronom/mail.nix b/hosts/metronom/mail.nix index d1379e95..9b288166 100644 --- a/hosts/metronom/mail.nix +++ b/hosts/metronom/mail.nix @@ -12,9 +12,7 @@ mailserver = { enable = true; fqdn = "mail.pub.solar"; - domains = [ - "pub.solar" - ]; + domains = [ "pub.solar" ]; # A list of all login accounts. To create the password hashes, use # nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt' From fcd9af314e51a6435852d41dc0551e65942e63e0 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 29 May 2024 10:23:41 +0200 Subject: [PATCH 10/13] mail: update teutat3s password --- secrets/mail/teutat3s.age | Bin 2463 -> 2463 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/mail/teutat3s.age b/secrets/mail/teutat3s.age index 816665bc1f8a78872ed1e11d87ca22c6b4e24a87..ce63948bd5b29db19ed533e7381937a8dc358581 100644 GIT binary patch literal 2463 zcmZXVxy$?r8OIw@OsloLg^h-vxig7{nERT^HMz0LB$?ckb8?}7fUshvrHERISXn8G zf~DKIupo$NvsPlW3dv$#l)gGXwd%6&gQ!P&T8fG2SZY@CTY z`5fmd0+DeU?gv%rS7Ck#Qcr6MS{w2@VBIHa&oJTj^@Za(RT^&UeXv2w7N#!08K(nv zciiJkzd5JrN%UMr4j&X?c&D){i2Arm$C_y2bkCyzuP!FqKhs7NWa?Im=cUdf_aoXk z#V>clk-Hq=9n+}VxmsmbF*Yt)`0Eo*R5qn0ndL!vMv0Z=VwY;H23wFw6{yVUH;-l~ z>{6<`F}@^zdP*S}K;hRl#8KLeUh{$vP;2 z&OHaCV6Tl9Twa3in(v&0Dv;fl6?VjSK&qBkYaSjx_2fBpjLfx(L|k)W&ZcfgfC2>% znP{@r@>m#V%CUrsM|gAM$G+gm(k^LMIpn^L=bgK_l3WGUanp_wtb@MY*A8GVW6T!# zsjVMpIMA47SSQc+3qp;Q6EXP;fp`<#Q953qR9p-a(lHhm?a*DSKn|n;Jdw`>N0X;2 zOVG9DQx4WhoM6)yX49zcvHJz|jKyhRj%e~J1+C$9cuC_ET zbq2VB!VD1i#D?q_f|#vcjqI2ZUf;P|jSf+w8bqiXM+LK) zC+DdNa6lNtc}NRlx{DOGNT}!l_R1@*$LGwAlOaJTc+<8spANFQRiJ~TmOdzlGg0ei z0rnhi;$-6u6GQ9xRlu0A2JpZ;c~o?|gjWP#N;su>G0+8eUIXR=Pk3}U?!qIlD|ayl zo1+J=zh>>F8t;0sbc+dWRkKb7bZ&(E$!9L$W*++Eq6+y$PaL-PFleW2R8;GgE#01M z`j(4~#N9V7Ux&Nt0`0Z5;?dbCF{+-U2w4%wD7!5s#4@36ZuPQcq)&e|^YeKX^4M<; z?!fmpRY=%YVGS4@o)$cwrDOxc!KZ2Y<|3%KSwF+tBxqGLOFl^=7xiY%gQGND@i@52 zIMMNt4zDv{Z4FaW)dbToUE(PUq%e3}qBOZAu+up#+oAT3%k@0w|rIOfVew@~!Xj|D>e+w+2CbhC!F z?=^trvh*WyC|Ypj_N2&1gRigYo{x@tJH(M@ppLbMRACo4lucA#&6F=qkJdR+e)x3; z;Oya2mYdC%&vQ#SX37?Ix2KAhIex8KeHzC5jgBnoiZu4n)^3ff5JpYZ#;84O!+^FP zwNR)t!6!6o(e}Afe9(GUXICg_t+LE#3=KC3al+|;dEA%Fn;s>|m&HEJ*XU#uzCa|9lv;-te zvYSulQh$S0{0jc}?sXhK`UVT>_P8PXXkM%qXPT z1_;j&#DOD_*R=(=*tJUEm2oqL!~kPg@p|}^G}fDThj~#o|8@g0 z4{fX$RaKb|H9bu_JB)ZSS;@HS_fU|8s^-kbp0|OmMElhuHDLNJ@r>u1x*x@e=Nb{% z`J66JbA&eQDgt|#NszORy?)i>n>R0F)PTscsBDJQ-95k`$)xw`e2A?CKYKn=u?p7Q zHrQ?o@WW4k>9?N;wI6+hc<0~v7r*>A_4|Lm`|}_F>a9P0`=^`#FZOqT{qE=ZKY#tb z_m#KCpULlv-+J$>@Bbw`fA%MD|Lw!i{O1qf`^9gDcYYmysB^#k;P3zV;4SP6PyJKh PkG>=QAjbaq;Wz&a*3>c* literal 2463 zcmZXWIq3Wd6~_e|4I(yzg~-oJm-sjLg&^dbT$5yGa>qiGOzvcoOzvo*xT3I?%65W< zjcjElXr+x{A==p4*om#Jia(15-ECj0qLYosFzxgy&m#Ro%&u_p8ZHeW-RU-wT82L*X?CXnJ3T z#Dn9~6t6-XWmX^^CL2XAdgzJ$6iGK4Yi$bB5z1cilE+r&N z8B2M#h-gFy7R=WsHE`1Ra=?b-Ad_vICpJX)j}hmM3nfIOHW-CPKg6q}Pn(3Gx2}Gl z_8g;^jIiY{2X6IgTB1PhDkBBC)*ZMT={t?{yq>5)W5LF)+S}OHD8FzZ#GEl4guOB_ zg6x#H2&n+Ia_5|(yoJQQ$IRf8YPFh5S2N@D5QPGJb@C$VvMBt(m?@D$(Ax)GQ|WvQ?<=Z}IoIZeZ7pmN#nsIO8DJp!Pt;^(E| zb(K6YsLW<1bdR_kbNph>2)-Po*|&HoNsgZtev%w2R-TOU(OUwUMF$R~B(hNBDqr@g zDusQ-_K|*M4k#9L*-TN#QaNdQuICrRG-mtxu@W?iPK+|g6uOlaut#;HG<~M%Dp7Y3 z#KT@{Yn0iFO)05RW~R1#Y6pcb3P>?l(`E0$@^oqd60#=eSoLf3k`4B2DCFz? z)-e=b$#XrXTpBPH7&UGS*pX45%&>4F^K62qjJW2b({Y%L8~P%_GTASZD+QY0b21DQ z=OLG(?kU%t>6HXi`M}K^RyKwE&Zs%*q+vr}!aMld&Y)IS)(2GWT}q;z&_v?(t$?ST zXUoD);+c)MQ%VB~t+{*O!&~G^D~&h@FU*{Vg6TRvRh#D;c>&!x;D+v0+JXjMz2KN& zMN8P|w1PVaj8^Jyo`FseS;4Q=AV7-1c0Nm*h=ntAuI5)yKe@qvKMqaaUPXAFSw%!u zY3X4-_yEWG*J*QF9fWWeyIX1rZvtxei*X9E>T-zPm<^ay;Z%k&bSqR!e242&igk6n zVGRbzG2zUvMcEl4cR}qUl;%A|*zw43d5Y)L}_ zu&v_`W}A?iTuwu1p9fx{2=2-#SHXwO42JpQ>NjBlcJKT7{tXRImO17x(tWdV>Mlz= zHIO^E@x6!{4?~Fq5?mOqFK8BRWJuN89KhA7U1=`Xt%SLWL&GgH%H|6?*qzNUin`Na zLf&x^a>ozSO4%hb_T?sNJ_Y*p2%>_BIa(a>o6CE z^1(OOP_B@s4KBkW)&koOV0OYxjZ`1yRTV6$M+#UFmb<`)4m}x~t?j|oB@ek)KJ*`e zn2R>o7jbXPaq(F>i%{0rz=$m)NE@0C(Y)e*pdg|UHiFhilK`aoI2(p{S9X(Xhe4k7 zP49i3syw~7(l#J!-4S%JOztr7=FOWIBrm~B(WbQ|pK=l!pH{Bxw$UwTuaTBH6Z;@S z#Kl;MkpKt$k{@xEi^SM8M^bg Date: Wed, 29 May 2024 10:30:03 +0200 Subject: [PATCH 11/13] mail: move NixOS module to modules --- hosts/metronom/default.nix | 1 - hosts/metronom/mail.nix => modules/mail/default.nix | 0 2 files changed, 1 deletion(-) rename hosts/metronom/mail.nix => modules/mail/default.nix (100%) diff --git a/hosts/metronom/default.nix b/hosts/metronom/default.nix index c6e90714..a1699f15 100644 --- a/hosts/metronom/default.nix +++ b/hosts/metronom/default.nix @@ -6,7 +6,6 @@ ./configuration.nix ./networking.nix - ./mail.nix ./wireguard.nix #./backups.nix ]; diff --git a/hosts/metronom/mail.nix b/modules/mail/default.nix similarity index 100% rename from hosts/metronom/mail.nix rename to modules/mail/default.nix From 0038be3d2c1c187e9dfe4247a63de7c8decc0599 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 29 May 2024 10:30:33 +0200 Subject: [PATCH 12/13] metronom: use wireguard IP for SSH, lock down SSH port access to wireguard only --- flake.nix | 2 +- hosts/metronom/wireguard.nix | 20 ++++++++++---------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/flake.nix b/flake.nix index a9e1e6d1..d96ccf73 100644 --- a/flake.nix +++ b/flake.nix @@ -127,7 +127,7 @@ sshUser = username; }; metronom = { - hostname = "49.13.236.167"; + hostname = "10.7.6.3"; sshUser = username; }; tankstelle = { diff --git a/hosts/metronom/wireguard.nix b/hosts/metronom/wireguard.nix index ff736a01..0eef6975 100644 --- a/hosts/metronom/wireguard.nix +++ b/hosts/metronom/wireguard.nix @@ -41,14 +41,14 @@ }; }; - #services.openssh.listenAddresses = [ - # { - # addr = "10.7.6.3"; - # port = 22; - # } - # { - # addr = "[fd00:fae:fae:fae:fae:3::]"; - # port = 22; - # } - #]; + services.openssh.listenAddresses = [ + { + addr = "10.7.6.3"; + port = 22; + } + { + addr = "[fd00:fae:fae:fae:fae:3::]"; + port = 22; + } + ]; } From 8f46e2263611a82953b3854133123e7d32c1f30c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 29 May 2024 10:50:24 +0200 Subject: [PATCH 13/13] docs: updates for metronom / mail --- docs/mail.md | 4 ++++ docs/unlocking-root.md | 12 ++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 docs/mail.md diff --git a/docs/mail.md b/docs/mail.md new file mode 100644 index 00000000..7719ac6d --- /dev/null +++ b/docs/mail.md @@ -0,0 +1,4 @@ +### Mail + +mail.pub.solar aka metronom.pub.solar hosts our internal mails. +This is a small Hetzner cloud instance on https://console.hetzner.cloud. diff --git a/docs/unlocking-root.md b/docs/unlocking-root.md index 463bd1b7..511d2422 100644 --- a/docs/unlocking-root.md +++ b/docs/unlocking-root.md @@ -1,9 +1,17 @@ # Unlocking the root partition on boot -After a boot, the encrypted root partition will have to be unlocked. This is done by accessing the server via SSH with user root on port 2222. +After a reboot, the encrypted ZFS pool will have to be unlocked. This is done by accessing the server via SSH with user `root` on port 2222. + +Nachtigall: ``` -ssh root@nachtigall.pub.solar -p2222 +ssh root@138.201.80.102 -p2222 +``` + +Metronom: + +``` +ssh root@49.13.236.167 -p2222 ``` After connecting, paste the crypt passphrase you can find in the shared keepass. This will disconnect the SSH session right away and the server will keep booting into stage 2.