From 7c1f95f11b185776b669969212f8316119039abc Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Wed, 18 Dec 2024 06:01:30 +0100 Subject: [PATCH] Move emails to hel1 --- profiles/hel.nix | 99 ++++++++++++++++++++++++++ profiles/storage.nix | 161 ------------------------------------------- terraform/config.tf | 2 +- terraform/dns.tf | 7 +- 4 files changed, 104 insertions(+), 165 deletions(-) diff --git a/profiles/hel.nix b/profiles/hel.nix index 755af7f..c525525 100644 --- a/profiles/hel.nix +++ b/profiles/hel.nix @@ -18,6 +18,27 @@ dmarcExporterPassword = { key = "dmarc_exporter/password"; }; + paultrialPassword = { + key = "email/accounts_passwords/paultrial"; + }; + eliosPassword = { + key = "email/accounts_passwords/elios"; + }; + mariePassword = { + key = "email/accounts_passwords/marie"; + }; + alicePassword = { + key = "email/accounts_passwords/alice"; + }; + monitPassword = { + key = "email/accounts_passwords/monit"; + }; + noreplyBanditlairPassword = { + key = "email/accounts_passwords/noreply_banditlair"; + }; + noreplyFroidmontPassword = { + key = "email/accounts_passwords/noreply_froidmont"; + }; }; time.timeZone = "Europe/Amsterdam"; @@ -211,6 +232,9 @@ repoName = "bl"; additionalPaths = [ "/var/lib/acme" + "/var/vmail" + "/var/dkim" + "/var/sieve" "/var/lib/nextcloud" ]; patterns = [ @@ -388,4 +412,79 @@ gid = 991; }; + mailserver = { + enable = true; + fqdn = "mail.banditlair.com"; + domains = [ + "banditlair.com" + "froidmont.org" + "falbo.fr" + ]; + localDnsResolver = false; + enableManageSieve = true; + lmtpSaveToDetailMailbox = "no"; + policydSPFExtraConfig = '' + Domain_Whitelist = skynet.be + ''; + loginAccounts = { + "paultrial@banditlair.com" = { + # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location + hashedPasswordFile = config.sops.secrets.paultrialPassword.path; + aliases = [ + "contact@froidmont.org" + "account@banditlair.com" + ]; + }; + "marie-alice@froidmont.org" = { + hashedPasswordFile = config.sops.secrets.mariePassword.path; + aliases = [ + "osteopathie@froidmont.org" + "communication@froidmont.org" + ]; + }; + "alice@froidmont.org" = { + hashedPasswordFile = config.sops.secrets.alicePassword.path; + }; + "elios@banditlair.com" = { + hashedPasswordFile = config.sops.secrets.eliosPassword.path; + aliases = [ + "webshit@banditlair.com" + "outlook-pascal@banditlair.com" + ]; + }; + "monit@banditlair.com" = { + hashedPasswordFile = config.sops.secrets.monitPassword.path; + sendOnly = true; + }; + "noreply@banditlair.com" = { + hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path; + sendOnly = true; + }; + "noreply@froidmont.org" = { + hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path; + sendOnly = true; + }; + }; + extraVirtualAliases = { + "info@banditlair.com" = "paultrial@banditlair.com"; + "postmaster@banditlair.com" = "paultrial@banditlair.com"; + "abuse@banditlair.com" = "paultrial@banditlair.com"; + + "info@froidmont.org" = "paultrial@banditlair.com"; + "postmaster@froidmont.org" = "paultrial@banditlair.com"; + "abuse@froidmont.org" = "paultrial@banditlair.com"; + + "info@falbo.fr" = "paultrial@banditlair.com"; + "postmaster@falbo.fr" = "paultrial@banditlair.com"; + "abuse@falbo.fr" = "paultrial@banditlair.com"; + + #Catch all + "@banditlair.com" = "paultrial@banditlair.com"; + "@froidmont.org" = "paultrial@banditlair.com"; + "@falbo.fr" = "elios@banditlair.com"; + }; + + certificateScheme = "acme-nginx"; + }; + } diff --git a/profiles/storage.nix b/profiles/storage.nix index 3d9517d..0b999b8 100644 --- a/profiles/storage.nix +++ b/profiles/storage.nix @@ -12,34 +12,9 @@ ]; sops.secrets = { - borgSshKey = { - owner = config.services.borgbackup.jobs.data.user; - key = "borg/client_keys/storage1/private"; - }; nixCacheKey = { key = "nix/cache_secret_key"; }; - paultrialPassword = { - key = "email/accounts_passwords/paultrial"; - }; - eliosPassword = { - key = "email/accounts_passwords/elios"; - }; - mariePassword = { - key = "email/accounts_passwords/marie"; - }; - alicePassword = { - key = "email/accounts_passwords/alice"; - }; - monitPassword = { - key = "email/accounts_passwords/monit"; - }; - noreplyBanditlairPassword = { - key = "email/accounts_passwords/noreply_banditlair"; - }; - noreplyFroidmontPassword = { - key = "email/accounts_passwords/noreply_froidmont"; - }; }; custom = { @@ -48,19 +23,6 @@ secretKeyFile = config.sops.secrets.nixCacheKey.path; }; - services.backup-job = { - enable = true; - repoName = "bl"; - patterns = [ - "- /nix/var/data/media" - "- /nix/var/data/transmission/downloads" - "- /nix/var/data/transmission/.incomplete" - ]; - readWritePaths = [ "/nix/var/data/backup" ]; - startAt = "04:00"; - sshKey = config.sops.secrets.borgSshKey.path; - }; - services.monit = { enable = true; additionalConfig = '' @@ -71,135 +33,12 @@ services.nginx.enable = true; services.openssh.enable = true; - - }; - - mailserver = { - enable = true; - fqdn = "mail.banditlair.com"; - domains = [ - "banditlair.com" - "froidmont.org" - "falbo.fr" - ]; - localDnsResolver = false; - enableManageSieve = true; - mailDirectory = "/nix/var/data/vmail"; - sieveDirectory = "/nix/var/data/sieve"; - lmtpSaveToDetailMailbox = "no"; - policydSPFExtraConfig = '' - Domain_Whitelist = skynet.be - ''; - loginAccounts = { - "paultrial@banditlair.com" = { - # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location - hashedPasswordFile = config.sops.secrets.paultrialPassword.path; - aliases = [ - "contact@froidmont.org" - "account@banditlair.com" - ]; - }; - "marie-alice@froidmont.org" = { - hashedPasswordFile = config.sops.secrets.mariePassword.path; - aliases = [ - "osteopathie@froidmont.org" - "communication@froidmont.org" - ]; - }; - "alice@froidmont.org" = { - hashedPasswordFile = config.sops.secrets.alicePassword.path; - }; - "elios@banditlair.com" = { - hashedPasswordFile = config.sops.secrets.eliosPassword.path; - aliases = [ - "webshit@banditlair.com" - "outlook-pascal@banditlair.com" - ]; - }; - "monit@banditlair.com" = { - hashedPasswordFile = config.sops.secrets.monitPassword.path; - sendOnly = true; - }; - "noreply@banditlair.com" = { - hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path; - sendOnly = true; - }; - "noreply@froidmont.org" = { - hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path; - sendOnly = true; - }; - }; - extraVirtualAliases = { - "info@banditlair.com" = "paultrial@banditlair.com"; - "postmaster@banditlair.com" = "paultrial@banditlair.com"; - "abuse@banditlair.com" = "paultrial@banditlair.com"; - - "info@froidmont.org" = "paultrial@banditlair.com"; - "postmaster@froidmont.org" = "paultrial@banditlair.com"; - "abuse@froidmont.org" = "paultrial@banditlair.com"; - - "info@falbo.fr" = "paultrial@banditlair.com"; - "postmaster@falbo.fr" = "paultrial@banditlair.com"; - "abuse@falbo.fr" = "paultrial@banditlair.com"; - - #Catch all - "@banditlair.com" = "paultrial@banditlair.com"; - "@froidmont.org" = "paultrial@banditlair.com"; - "@falbo.fr" = "elios@banditlair.com"; - }; - - certificateScheme = "acme-nginx"; }; networking.firewall.allowedTCPPorts = [ 80 443 - 18080 - 23363 # Minecraft ]; - networking.firewall.allowedUDPPorts = [ - 23363 # Minecraft - ]; - - networking.nat.enable = true; - networking.nat.internalInterfaces = [ "ve-+" ]; - networking.nat.externalInterface = "enp2s0"; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQKmE04ZeXN65PTt5cc0YAgBeFukwhP39Ccq9ZxlCkovUMcm9q1Gqgb1tw0hfHCUYK9D6In/qLgNQ6h0Etnesi9HUncl6GC0EE89kNOANZVLuPir0V9Rm7zo55UUUM/qlZe1L7b19oO4qT5tIUlM1w4LfduZuyaag2RDpJxh4xBontftZnCS6O2OI4++/6OKLkn4qtsepxPWb9M6lY/sb6w75LqyUXyjxxArrQMHpE4RQHTCEJiK9t+z5xpfI4WfTnIRQaCw6LxZhE9Kh/pOSVbLU6c5VdBHfCOPk6xrB3TbuUvMpR0cRtn5q0nJQHGhL0A709UXR1fnPm7Xs4GTIf2LWXch6mcrjkTocz8qmKDuMxQzY76QXy6A+rvghhOxnrZTEhLKExZxNqag72MIeippPFNbyOJgke3htHy74b9WjM1vZJ9VRYnmhxpGz0af//GF6LZQy7gOxBasSOv5u5r//1Ow7FNf2K5xYPGYzWRIDx+abMa+JwOyPHdZ9bR+jmB5R9VohFECFLgjm+O5Ed1LJgRX/6vYlB+8gZeeflbZpYYsSY/EcpsUKgtOmIBJT1svdjVTDdplihdFUzWfjL+n2O30K7yniNz6dGbXhxfqOVlp9R6ZsEdbGTX0IGpG+0ZgkUkLrgROAH1xiOYNhpXuD3l6rNXLw4HP3Mqjp3Fw== root@hel1" - ]; - - users.users.www-data = { - uid = 993; - createHome = true; - home = "/home/www-data"; - useDefaultShell = true; - group = config.users.groups.www-data.name; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc7kX8riTSxRNwqIwZ/XwTKHzl1C786TbeU5qx2gTidR4H56+GxA5jrpWLZrcu0MRBu11/URzyGrJGxdBps6Hu/Arp482Y5OxZeDUzD+tZJa79NylG9GQFMTmGLjH3IqBbmgx91WdYsLmgXjz0f+NxANzmgvzRt2IolHc4hxIkrDickfT2dT3uVtaJOGBsLC2BxVT0rCHFmvjB7+qnJ4jvC8b/V+F6+hijom1kUq9zhZzWEg8H5imR0UoXrXLetxY+PGAqKkDLm/pNQ/cUSX4FaKZ5bpGYed7ioSeRHW3xIh4zHhWbiyBPsrjyOmEnxNL5f4o4KgHfUDY0DpVrhs+6JPJTsMfsyb0GciqSYR5PCL73zY+IEo+ZHdGubib4G5+t1UqaK+ZZGqW+a7DLHMFR6tr3I/b/Jz8KHjYztdx/ZHS3CA2+17JgLG/ycq+a3ETBkIGSta5I4BUfcbVvkxKq7A99aODDyYc+jMp7gbQlwKhdHcAoVcWRKqck/sL0Qnb4e+BoUm+ajxRo6DNcpGL5LLtD/i1NuWjFugh6q1KcgXP/Bc11Owhqg3nlIUMUoVc2/h/9Er9Eaplv27rw180ItGR1UEQ4gQHCGQB6vCF5NRPjAS5y515UcDu+rceFIr1W15IZvhMrcphb8clu8E2us68ghas7ZgXKU2xypsaGPw== sshfs-2021-07-16" - ]; - }; - users.groups.www-data = { - gid = 991; - }; - - services.openssh.settings.Macs = [ - "hmac-sha2-512-etm@openssh.com" - "hmac-sha2-256-etm@openssh.com" - "umac-128-etm@openssh.com" - "hmac-sha2-256" # Needed for Nextcloud sshfs - ]; - - users.users.steam = { - isNormalUser = true; - group = config.users.groups.steam.name; - }; - users.groups.steam = { }; - - # services.rustdesk-server = { - # enable = true; - # openFirewall = true; - # }; services.borgbackup.repos = { epicerie_du_cellier = { diff --git a/terraform/config.tf b/terraform/config.tf index 6817042..24d0b75 100644 --- a/terraform/config.tf +++ b/terraform/config.tf @@ -10,7 +10,7 @@ terraform { required_providers { hcloud = { source = "hetznercloud/hcloud" - version = "1.24.1" + version = ">=1.24.1" } hetznerdns = { diff --git a/terraform/dns.tf b/terraform/dns.tf index 86f3e94..ec92ade 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -3,6 +3,7 @@ locals { storage1_ip = "78.46.96.243" storage1_ipv6 = "2a01:4f8:120:8233::1" hel1_ip = "37.27.138.62" + hel1_ipv6 = "2a01:4f9:3100:1202::2" } data "hetznerdns_zone" "banditlair_zone" { @@ -40,7 +41,7 @@ resource "hetznerdns_record" "webmail_a" { resource "hetznerdns_record" "mail_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "mail" - value = local.storage1_ip + value = local.hel1_ip type = "A" ttl = 600 } @@ -48,7 +49,7 @@ resource "hetznerdns_record" "mail_a" { resource "hetznerdns_record" "mail_aaaa" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "mail" - value = local.storage1_ipv6 + value = local.hel1_ipv6 type = "AAAA" ttl = 600 } @@ -216,7 +217,7 @@ resource "hetznerdns_record" "db1_a" { resource "hetznerdns_record" "banditlair_dedicated_a" { zone_id = data.hetznerdns_zone.banditlair_zone.id name = "*" - value = local.storage1_ip + value = local.hel1_ip type = "A" ttl = 600 }