diff --git a/hosts/flora-6/caddy.nix b/hosts/flora-6/caddy.nix index cd90d4ef..648bfe33 100644 --- a/hosts/flora-6/caddy.nix +++ b/hosts/flora-6/caddy.nix @@ -72,6 +72,19 @@ reverse_proxy :4000 ''; }; + "list.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + handle_path /static/* { + root * /var/lib/mailman/web + file_server + } + + reverse_proxy :8000 + ''; + }; "obs-portal.pub.solar" = { logFormat = lib.mkForce '' output discard diff --git a/hosts/flora-6/flora-6.nix b/hosts/flora-6/flora-6.nix index f25f89dc..08af3d5d 100644 --- a/hosts/flora-6/flora-6.nix +++ b/hosts/flora-6/flora-6.nix @@ -19,6 +19,7 @@ in { ./drone.nix ./keycloak.nix ./gitea.nix + ./mailman.nix profiles.base-user profiles.users.root # make sure to configure ssh keys diff --git a/hosts/flora-6/mailman.nix b/hosts/flora-6/mailman.nix new file mode 100644 index 00000000..340d3e03 --- /dev/null +++ b/hosts/flora-6/mailman.nix @@ -0,0 +1,114 @@ +{ + config, + lib, + pkgs, + self, + ... +}: { + system.activationScripts.mkMailmanNet = let + docker = config.virtualisation.oci-containers.backend; + dockerBin = "${pkgs.${docker}}/bin/${docker}"; + in '' + ${dockerBin} network inspect mailman-net >/dev/null 2>&1 || ${dockerBin} network create mailman-net --subnet 172.20.1.0/24 + ''; + + users.users.mailman = { + description = "Mailman Service"; + home = "/var/lib/mailman"; + useDefaultShell = true; + uid = 993; + # Group hakkonaut so caddy can serve the static files from mailman-web directly + group = "hakkonaut"; + isSystemUser = true; + }; + + age.secrets.mailman-core-secrets = { + file = "${self}/secrets/mailman-core-secrets.age"; + mode = "600"; + owner = "mailman"; + }; + + age.secrets.mailman-web-secrets = { + file = "${self}/secrets/mailman-web-secrets.age"; + mode = "600"; + owner = "mailman"; + }; + + age.secrets.mailman-db-secrets = { + file = "${self}/secrets/mailman-db-secrets.age"; + mode = "600"; + owner = "mailman"; + }; + + virtualisation = { + docker = { + enable = true; + }; + + oci-containers = { + backend = "docker"; + containers."mailman-core" = { + image = "maxking/mailman-core:0.4"; + autoStart = true; + user = 993; + volumes = [ + "/var/lib/mailman/core:/opt/mailman/" + ]; + extraOptions = [ + "--network=mailman-net" + ]; + environment = { + DATABASE_TYPE = "postgres"; + DATABASE_CLASS = "mailman.database.postgresql.PostgreSQLDatabase"; + }; + environmentFiles = [ + config.age.secrets.mailman-core-secrets.path + ]; + ports = [ + "127.0.0.1:8001:8001" # API + "127.0.0.1:8024:8024" # LMTP - incoming emails + ]; + }; + + containers."mailman-web" = { + image = "maxking/mailman-web:0.4"; + autoStart = true; + user = 993; + volumes = [ + "/var/lib/mailman/web:/opt/mailman-web-data"; + ]; + extraOptions = [ + "--network=mailman-net" + ]; + environment = { + DATABASE_TYPE = "postgres"; + SERVE_FROM_DOMAIN = "list.pub.solar"; + MAILMAN_ADMIN_USER: "admin"; + MAILMAN_ADMIN_EMAIL: "admins@pub.solar"; + }; + environmentFiles = [ + config.age.secrets.mailman-web-secrets.path + ]; + ports = [ + "127.0.0.1:8000:8000" # HTTP + # "127.0.0.1:8080:8080" # uwsgi + ]; + }; + + containers."mailman-db" = { + image = "postgres:14-alpine"; + autoStart = true; + user = 993; + extraOptions = [ + "--network=mailman-net" + ]; + volumes = [ + "/var/lib/mailman/database:/var/lib/postgresql/data"; + ]; + environmentFiles = [ + config.age.secrets.mailman-db-secrets.path + }; + }; + }; + }; +} diff --git a/secrets/mailman-core-secrets.age b/secrets/mailman-core-secrets.age new file mode 100644 index 00000000..294bcd9d Binary files /dev/null and b/secrets/mailman-core-secrets.age differ diff --git a/secrets/mailman-db-secrets.age b/secrets/mailman-db-secrets.age new file mode 100644 index 00000000..c2a0ab33 --- /dev/null +++ b/secrets/mailman-db-secrets.age @@ -0,0 +1,23 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw WqfbigFDHy0nh/B8SjJk2MCKKRQ1Jt/gXxRz2neNvlc +5wJjaxa1sOPPQfg4n6n6HurhkN/+ARVhthxoK8bzOWE +-> ssh-ed25519 BVsyTA Lvki0R7gZediS9KnQGerUtVZQ7qZYUXaUbPvqv2zmgM +YTLaJM1UqpL+avMZz0mMKz1i9LSalbTQkC6xFbYbyAw +-> ssh-rsa kFDS0A +Xcm7KqiO5yK5RUwhJPrJ3fk/GTVK0OJlsGouc71p35o5AgqBrbW0HiNBGMl24oUP +jMU9nSlATq4VaQWKHCqnGOeJCw83C1AON7sVHhoT3vzFWKs9TO0TDR0Gm0fCBTm1 +hk2fQZ/sMe8lGuSyISDg1QmEkC7ow/FwXmMlW5xw0honj1ca+mZ8w5YeWVCMLpGg +pob/79odfVMtlk4uqcjboto6X6aY/W43yG8VQUJwZ3hK/4wVn16Os+RlNH6GAFr0 +aZ6SS4cJR9uTd/y9rQIg9rgQ95qTusg66ClBRdMCy7fvXbfMAMvmtmwBQJQdpO2q +tURAN4Id3+j+vuqk0nqnj0oXx61mIlutbADbkoRlhB9VFVffSu/KeMFVOtSMD0AN +Sp0q4nhv5BSaOP/D0YwOMPmCuS2M6aVfWvPQvrQ5YE4MEWK2qs4A3vZRn2d8o5hh +mvH+y+Foxt69D+k32DWFMCbZCSxlBKW1aGZ6AexFXx6zYyzBoYE9zB6QSI8ZbqN0 +LfBpz2YNCix+6y5qUsCYsY9aa9m4azpsKD7M5IFgmkLqUGvsH7Xx7PC/Z9B4zTgs +MHMJPPR/yRZ8PzbnXIUen4/PnO4j7AbgYDv4FCAAfWJjufC7v+vTI0m80Y/7uZCu +dk6DPZaUMbJFYXPNUNODP/6Dn5RL8hy74IjdLtNIbzg +-> ejJ:5Us-grease +fWwlxnUaotXS0iwGa0zkPyoHuNjTBBgFJUO8cVMNfB2vxoPKraJ+weyTXbu8Fa7i +WVehDudiKTfaK4Ruy6hbUZBjZ+Aq3LDpezw +--- XjN/bkA+YEfIro1w01fcKA7n0xMq6raWxpXoedRIw/g +ECdtya(Qq.jH 6i[M +sm0 ])ձTTo=̢ 7DA}&H=OR6>?$Om͸g괖AFYqܰ~ki2iu1!U?2<ĩ$e63 \ No newline at end of file diff --git a/secrets/mailman-web-secrets.age b/secrets/mailman-web-secrets.age new file mode 100644 index 00000000..fe6c8d5f Binary files /dev/null and b/secrets/mailman-web-secrets.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 43fa79ad..99d220a3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,15 +1,26 @@ let # set ssh public keys here for your system and user - b12f-main = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg="; - b12f-backup = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw="; - teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; + b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw=="; + teutat3s-dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; flora-6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@pub-solar-infra-vm-1"; - allKeys = [flora-6 teutat3s b12f-main b12f-backup]; - deployKeys = [flora-6 teutat3s b12f-main b12f-backup]; + + allKeys = [ + flora-6 + teutat3s-dumpyourvms + b12f-bbcom + ]; + deployKeys = [ + flora-6 + teutat3s-dumpyourvms + b12f-bbcom + ]; in { "gitea-database-password.age".publicKeys = deployKeys; "gitea-mailer-password.age".publicKeys = deployKeys; "keycloak-database-password.age".publicKeys = deployKeys; "drone-secrets.age".publicKeys = deployKeys; "drone-db-secrets.age".publicKeys = deployKeys; + "mailman-core-secrets.age".publicKeys = deployKeys; + "mailman-web-secrets.age".publicKeys = deployKeys; + "mailman-db-secrets.age".publicKeys = deployKeys; }