✨ [pi4] Added initial Simple mailserver config

2025-06-02 17:44:41 +00:00
parent be02be6bf2
commit b74e5aab62
7 changed files with 229 additions and 25 deletions
--- a/hosts/pi4/caddy.nix
+++ b/hosts/pi4/caddy.nix
@ -4,11 +4,13 @@ let
 in
 {
  services.caddy = {
-    enable = true;
+    enable = false;
    email = "cert@${domain}";
    virtualHosts =
      let
-        reverseProxy = port: "reverse_proxy localhost:${builtins.toString port}";
+        localProxy = proxyTo "localhost";
+        homelabProxy = proxyTo "192.168.10.231";
+        proxyTo = ip: port: "reverse_proxy ${ip}:${builtins.toString port}";
        redirect = subdomain: "redir https://${subdomain}.${domain}{uri}";
      in
      {
@ -23,62 +25,66 @@ in
        '';
        # Gitea
        "code.${domain}".extraConfig = ''
-          ${reverseProxy 3000}
+          ${homelabProxy 3000}
+        '';
+        # Forgejo
+        "beta.code.${domain}".extraConfig = ''
+          ${localProxy 8001}
        '';
        # Nextcloud
        "nextcloud.${domain}".extraConfig = ''
          redir /.well-known/carddav /remote.php/dav 301
          redir /.well-known/caldav /remote.php/dav 301
-          ${reverseProxy 11000}
+          ${homelabProxy 11000}
        '';
        # Kitchenowl
        "grocery.${domain}".extraConfig = ''
-          ${reverseProxy 800}
+          ${homelabProxy 800}
        '';
        # Actual Budget
        "budget.${domain}".extraConfig = ''
-          ${reverseProxy 5006}
+          ${homelabProxy 5006}
        '';
        # Uptime Kuma
        "status.${domain}".extraConfig = ''
-          ${reverseProxy 3001}
+          ${homelabProxy 3001}
        '';
        # Headscale
        "vpn.${domain}".extraConfig = ''
-          reverse_proxy /web* localhost:8084
-          reverse_proxy * localhost:8082
+          reverse_proxy /web* 192.168.10.231:8084
+          reverse_proxy * 192.168.10.231:8082
        '';
        # Headscale SmartDNS
        "dns.${domain}".extraConfig = ''
-          ${reverseProxy 8082}
+          ${homelabProxy 8082}
        '';
        # FreshRSS
        "rss.${domain}".extraConfig = ''
-          ${reverseProxy 8085}
+          ${homelabProxy 8085}
        '';
        # Ente backend
        "api.ente.${domain}".extraConfig = ''
-          ${reverseProxy 8083}
+          ${homelabProxy 8083}
        '';
        # Ente Photos frontend
        "ente.${domain}".extraConfig = ''
-          ${reverseProxy 3003}
+          ${homelabProxy 3003}
        '';
        # Ente Auth frontend
        "mfa.${domain}".extraConfig = ''
-          ${reverseProxy 3004}
+          ${homelabProxy 3004}
        '';
        # Homepage / portfolio
-        "${domain}".extraconfig = ''
-          ${reverseProxy 4321}
+        "${domain}".extraConfig = ''
+          ${homelabProxy 4321}
        '';
        # Yamtrack
        "track.${domain}".extraConfig = ''
-          ${reverseProxy 8090}
+          ${homelabProxy 8090}
        '';
-        # Postal
-        "mail.${domain}".extraConfig = ''
-          ${reverseProxy 5000}
+        # Donetick
+        "chore.${domain}".extraConfig = ''
+          ${homelabProxy 2021}
        '';
      };
  };
--- a/hosts/pi4/default.nix
+++ b/hosts/pi4/default.nix
@ -4,8 +4,10 @@
  imports = with lib.custom; [
    (relativeToBase "modules")
    ./boot.nix
+    ./caddy.nix
    ./forgejo.nix
    ./hardware.nix
+    ./mailserver.nix
    ./nextcloud.nix
    ./podman.nix
    ./security
--- a/hosts/pi4/forgejo.nix
+++ b/hosts/pi4/forgejo.nix
@ -34,9 +34,10 @@ in
        # Sending emails is completely optional
        # You can send a test email from the web UI at:
        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
-        mailer = {
+        mailer = lib.mkIf config.mailserver.enable {
          ENABLED = true;
-          SMTP_ADDR = "mail.${common.domain}";
+          PROTOCOL = "smtps";
+          SMTP_ADDR = config.mailserver.fqdn;
          FROM = "noreply-forgejo@${common.domain}";
          USER = "noreply@${common.domain}";
        };
--- a/hosts/pi4/mailserver.nix
+++ b/hosts/pi4/mailserver.nix
@ -0,0 +1,55 @@
+{
+  lib,
+  config,
+  inputs,
+  common,
+  systemConfig,
+  ...
+}:
+let
+  cfg = config.mailserver;
+  passwordHashKey = "mailserver/password-hash";
+in
+{
+  imports = [
+    inputs.simple-nixos-mailserver.nixosModule
+  ];
+
+  mailserver = {
+    enable = true;
+    # stateVersion = 1; TODO uncomment on 25.11
+    fqdn = "mail.${common.domain}";
+    domains = [
+      common.domain
+    ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    loginAccounts = {
+      "${systemConfig.username}@${common.domain}" = {
+        hashedPasswordFile = config.sops.secrets.${passwordHashKey}.path;
+      };
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    # certificateScheme = "acme-nginx";
+  };
+  # security.acme.acceptTerms = true;
+  # security.acme.defaults.email = "security@example.com";
+
+  services.nginx.virtualHosts.${cfg.fqdn}.listen = lib.mkForce [
+    {
+      addr = "127.0.0.1";
+      port = 8003;
+      ssl = false;
+    }
+    {
+      addr = "192.168.10.188";
+      port = 8003;
+      ssl = false;
+    }
+  ];
+
+  sops.secrets.${passwordHashKey}.neededForUsers = true;
+}