WIP MADDY

2025-01-06 10:14:00 +01:00
12 changed files with 10 additions and 262 deletions
--- a/configs/common.nix
+++ b/configs/common.nix
@ -70,8 +70,6 @@ in
    neovim
    ripgrep
    wget
    ghostty.terminfo
  ];
  hm = {
--- a/global/utils.nix
+++ b/global/utils.nix
@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+{ lib, ... }:
 {
  setupSecrets =
    _config:
@ -96,20 +96,4 @@
      }
    ];
  };
  # shamelessly stolen from soopyc's gensokyo
  mkNginxFile =
    {
      filename ? "index.html",
      content,
      status ? 200,
    }:
    {
      # gets the store path of the directory in which the file is contained
      # we have to use writeTextDir because we don't want to expose the whole nix store to nginx
      # and because you can't just return an absolute path to a file
      alias = builtins.toString (pkgs.writeTextDir filename content) + "/";
      tryFiles = "${filename} =${builtins.toString status}";
    };
 }
--- a/2
+++ b/2
@ -19,7 +19,7 @@ boot *args:
 deploy system user="leo":
    #!/usr/bin/env bash
    set -euxo pipefail
-    flake=$(nix eval --impure --raw --expr "(builtins.getFlake \"git+file://$PWD\").outPath")
+    flake=$(nix eval --impure --raw --expr "(builtins.getFlake \"$PWD\").outPath")
    nix copy "$flake" --to "ssh://{{user}}@{{system}}"
    # -R/--bypass-root-check is needed because of a Git CVE regression in Nix 2.20
    # See NixOS/nix#10202, viperML/nh#200
--- a/programs/games.nix
+++ b/programs/games.nix
@ -22,7 +22,6 @@
    steam = {
      enable = true;
      gamescopeSession.enable = true;
      extraCompatPackages = [ pkgs.proton-ge-bin ];
    };
    gamemode.enable = true;
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -41,6 +41,4 @@ in
  "etna/vmauthEnv.age".publicKeys = main ++ [ etna ];
  "etna/upsdUserPass.age".publicKeys = main ++ [ etna ];
  "etna/cobaltTokens.age".publicKeys = main ++ [ etna ];
  "vesuvio/maddyEnv.age".publicKeys = main ++ [ vesuvio ];
 }
--- a/secrets/vesuvio/maddyEnv.age
+++ b/secrets/vesuvio/maddyEnv.age
@ -1,14 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cUNLWjYzZnV2eHFoT3cr
 ZjVnd1ZiTVN6UXNGMmZvOVhoVW9VUFUxc2xRCkFtWjVPWGJRaDliWWZJbHZGU3k0
 TmVFZWdKcUpDeVNRcHk2ZXkvNENrcGsKLT4gWDI1NTE5IFgyenhNdWZkcnpPa2pW
 ekN5bXRWVDdIUk41c01uNHJFMVlkR1lBenM1QmMKZnBOeERqMWxHU25qVklWYjlW
 WElLcHVkMDlyRk5iSUd0NnVoeGpEZFZsVQotPiBYMjU1MTkgbCtsUHpjWUQrZFdL
 ckZKN0ozNlBrUmprV0drbElDMGNSaEdnU0swV1JsSQpGVVBHQVgwd2tiaC9wOXNH
 dXN6a1I4U0IwdnR1Mmh1OVo2Z2Nka2tBTXBnCi0+IFgyNTUxOSBtQWdSVUJBRzhz
 dHZhYVMyUUZPUG1sbm1Nbk1Tb2RpbURnQVI0WUFzUlNFCnJ0ekpvdjBxaXRyR2pl
 amE1VFl0SkxCUEF6SzhCN2JRcWY2OWpMWkFsNjAKLS0tIFNpT21weEQwUjQ3VzVj
 ZjVyaUZHOVRYU0lrYlVORDROM2tJbGlJbTdxYjQKsk04W9FOBWj2it7o+ecEM72l
 ezacJhtUWObiYe5PiMAaumhINJVr8GN7HYRgzTAAIlsn05aTT5WkYgwJQ9XRJphb
 cSx24vSfrZ5BGoizwg==
 -----END AGE ENCRYPTED FILE-----
--- a/systems/default.nix
+++ b/systems/default.nix
@ -1,11 +1,10 @@
 {
  lib,
  pkgs,
  inputs,
  ...
 }:
 let
-  _utils = import ../global/utils.nix { inherit lib pkgs; };
+  _utils = import ../global/utils.nix { inherit lib; };
  toSystem =
    name:
--- a/systems/etna/default.nix
+++ b/systems/etna/default.nix
@ -1,5 +1,6 @@
 {
  lib,
  pkgs,
  config,
  _utils,
  ...
@ -27,10 +28,6 @@ in
    secrets.generate
    cfTunnelSecret.generate
    # essential configs, do not remove
    ./postgresql.nix
    # services
    ./cobalt.nix
    ./dendrite.nix
    ./forgejo.nix
@ -62,6 +59,11 @@ in
    openssh.openFirewall = true;
    nginx.enable = true;
    postgresql = {
      enable = true;
      package = pkgs.postgresql_16;
    };
    frp = {
      enable = true;
      role = "client";
--- a/systems/etna/nextcloud.nix
+++ b/systems/etna/nextcloud.nix
@ -28,7 +28,6 @@ in
    config = {
      adminpassFile = adminPass.path;
      dbtype = "sqlite";
    };
  };
 }
--- a/systems/etna/postgresql.nix
+++ b/systems/etna/postgresql.nix
@ -1,27 +0,0 @@
 { pkgs, ... }:
 {
  services = {
    postgresql = {
      enable = true;
      package = pkgs.postgresql_16;
      settings.port = 5432;
      enableTCPIP = true;
      ensureDatabases = [
        "maddy"
      ];
      authentication = ''
        host maddy maddy vesuvio.fossa-macaroni.ts.net scram-sha-256
      '';
    };
    postgresqlBackup = {
      enable = true;
      backupAll = true;
      compression = "zstd";
      location = "/data/backups/postgresql";
    };
  };
 }
--- a/systems/vesuvio/mail.nix
+++ b/systems/vesuvio/mail.nix
@ -1,32 +1,14 @@
-{ config, _utils, ... }:
+{ config, ... }:
 let
  certName = "mail.c.uku3lig.net";
  certLocation = config.security.acme.certs.${certName}.directory;
  env = _utils.setupSingleSecret config "maddyEnv" { };
 in
 {
  imports = [ env.generate ];
  security.acme.certs.${certName} = {
    group = config.services.maddy.group;
    extraLegoRenewFlags = [ "--reuse-key" ]; # soopyc said its more secure
  };
  services.nginx.virtualHosts."mta-sts.uku3lig.net" = {
    forceSSL = true;
    useACMEHost = certName;
    locations."/.well-known/" = _utils.mkNginxFile {
      filename = "mta-sts.txt";
      content = ''
        version: STSv1
        mode: enforce
        mx: mx1.uku3lig.net
        max_age: 604800
      '';
    };
  };
  services.maddy = {
    enable = true;
    hostname = "mx1.uku3lig.net";
@ -47,171 +29,7 @@ in
    };
    config = ''
      ## common stuff
      auth.pass_table local_authdb {
        table sql_table {
          driver postgres
          dsn "host=etna password={env:POSTGRES_PASSWORD} dbname=maddy sslmode=disable"
          table_name passwords
        }
      }
      storage.imapsql local_mailboxes {
        driver postgres
        dsn "host=etna password={env:POSTGRES_PASSWORD} dbname=maddy sslmode=disable"
        # TODO: imap_filter https://maddy.email/reference/storage/imap-filters/
      }
      # chain of steps applied to recipients
      # each step is a lookup table
      table.chain local_rewrites {
        # this removes the +suffix part from the address
        optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
        optional_step static {
            entry postmaster postmaster@$(primary_domain)
        }
      }
      ## message reception
      msgpipeline local_routing {
        # TODO: checks (rspamd)
        modify {
          replace_rcpt &local_rewrites
        }
        # catch-all setup inspired by https://github.com/foxcpp/maddy/issues/243#issuecomment-1406567636
        # we don't have a destination_in clause because there is only one imap account
        destination $(local_domains) {
          modify {
            replace_rcpt regexp ".*" "hi@uku.moe"
          }
          deliver_to &local_mailboxes
        }
        default_destination {
          reject 550 5.1.1 "User doesn't exist"
        }
      }
      smtp tcp://0.0.0.0:25 {
        limits {
          # Up to 20 msgs/sec across max. 10 SMTP connections.
          all rate 20 1s
          all concurrency 10
        }
        dmarc yes
        checks {
          require_mx_record
          dkim
          spf
        }
        source $(local_domains) {
          reject 501 5.1.8 "Use internal submission port for outgoing SMTP"
        }
        default_source {
          destination postmaster $(local_domains) {
            deliver_to &local_routing
          }
          default_destination {
            reject 550 5.1.1 "User doesn't exist"
          }
        }
      }
      ## message sending
      target.remote &outbound_delivery {
        limits {
          # Up to 20 msgs/sec across max. 10 SMTP connections for each recipient domain.
          destination rate 20 1s
          destination concurrency 10
        }
        mx_auth {
          dane
          mtasts
          local_policy {
            min_tls_level encrypted
            min_mx_level none
          }
        }
      }
      target.queue remote_queue {
        target &outbound_delivery
        # sender domain for DSNs (delivery status notifications)
        autogenerated_msg_domain $(primary_domain)
        # pipeline to know where to send DSNs
        bounce {
          destination postmaster $(local_domains) {
            deliver_to &local_routing
          }
          default_destination {
            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
          }
        }
      }
      submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
        limits {
          # Up to 50 msgs/sec across any amount of SMTP connections.
          all rate 50 1s
        }
        auth &local_authdb
        source $(local_domains) {
          # make sure the sender is allowed to send from this server
          # local_rewrites allows us to use aliases as sender
          check {
            authorize_sender {
              prepare_email &local_rewrites
              user_to_email identity
            }
          }
          # just loop back if we are sending an email to ourselves
          destination postmaster $(local_domains) {
            deliver_to &local_routing
          }
          default_destination {
            modify {
              dkim $(primary_domain) $(local_domains) default
            }
            deliver_to &remote_queue
          }
        }
        default_source {
          reject 501 5.1.8 "Non-local sender domain"
        }
      }
      ## IMAP
      imap tls://0.0.0.0:993 {
        auth &local_authdb
        storage &local_mailboxes
      }
    '';
  };
  systemd.services.maddy.serviceConfig.EnvironmentFile = env.path;
  networking.firewall.allowedTCPPorts = [
    25 # smtp
    465 # submissions
    587 # submission (starttls)
    993 # imaps
  ];
 }
--- a/systems/vesuvio/nginx.nix
+++ b/systems/vesuvio/nginx.nix
@ -1,13 +1,5 @@
 {
  services.nginx.virtualHosts = {
    # default server
    "vps.uku3lig.net" = {
      default = true;
      addSSL = true;
      enableACME = true;
      locations."/".return = "404";
    };
    # immich
    "im.uku.moe" = {
      forceSSL = true;