{hosts/server3,zones/vhack.eu}: Activate stalwart-mail on server3 for soispha

author: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2025-04-01 16:13:51 +0200
committer: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2025-04-01 16:13:51 +0200
commit: 9c72df2287ae8ddd4c3f93675f608e414ab5e8e7 (patch)
tree: 8849d4176a26f3c613e9422e68298e0fe5e22cba
parent: zones/vhack.eu: Correct specify the SRV targets as fully-qualified (diff)
download: nixos-server-9c72df2287ae8ddd4c3f93675f608e414ab5e8e7.zip
8 files changed, 55 insertions, 51 deletions
diff --git a/hosts/by-name/server2/configuration.nix b/hosts/by-name/server2/configuration.nix
index 10bbb71..fc15bdc 100644
--- a/hosts/by-name/server2/configuration.nix
+++ b/hosts/by-name/server2/configuration.nix
@@ -57,37 +57,6 @@
       enable = true;
       fqdn = "mail.foss-syndicate.org";
     };
-    stalwart-mail = {
-      enable = false;
-      fqdn = "mail.vhack.eu";
-      admin = "admin@vhack.eu";
-      security = {
-        dkimKeys = let
-          loadKey = name: {
-            dkimPublicKey = builtins.readFile (./secrets/dkim + "/${name}-public");
-            dkimPrivateKeyPath = ./secrets/dkim + "/${name}-private.age";
-            keyAlgorithm = "ed25519-sha256";
-          };
-        in {
-          "mail.vhack.eu" = loadKey "mail.vhack.eu";
-        };
-        verificationMode = "strict";
-      };
-      openFirewall = true;
-      principals = [
-        {
-          class = "individual";
-          name = "soispha";
-          secret = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW";
-          email = [
-            "soispha@vhack.eu"
-            "abuse@vhack.eu"
-            "postmaster@vhack.eu"
-            "admin@vhack.eu"
-          ];
-        }
-      ];
-    };
     nginx = {
       enable = true;
       redirects = {
diff --git a/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-private.age b/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-private.age
deleted file mode 100644
index 586a266..0000000
--- a/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-private.age
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5TXdkcGE3VDhPVFd1aThX
-dno3RWtMbE9vR1NuQjJXR003NmxrbllSTVhVCit5aExOb2NVSzFKZWswNlQ3R3ds
-Rkt3QjU4dlUyVEdQaWFFbU9iejJOV28KLT4gWDI1NTE5IFFoVjFhMWlzUUlPWUFK
-cEcwVlQrbzhkRjdEU2FoNmJ2MGpkc1NLcG5zZ1EKNnc0R3BGR0FSQWUvTlIyTk94
-ME82VDRnTytwZnAvVUl6bEFzSTFNUm5BQQotPiBzc2gtZWQyNTUxOSBYUG94RFEg
-eFRmUlY2QUhUdUNWQ0xMai9IMEFJZWQxWG9MUktDMnIycnNIS3NELzFGMApxbkx3
-ZlFJTzVNTjlKSzNkOW9reXFYM04xQThQNGgvblNBRUJyZk1HUUZZCi0+IHozLWdy
-ZWFzZSBuJT0Ka3NhLzVpY0Z0TW5HckJYUEhpZWlRazFjbzZEMTBwanRFdVA2WWNx
-SUpLQitzNUlCQlpQQkZrZDRvbFdBMUgzVApnZ3MyMzF6dlRKZmxmd3NQejJJeE1q
-YTVvUExxTTVIVkNNWldyWkY4b3cKLS0tIHYyRWV4WEo4RW1aK3E0MkNucnp1SVVQ
-ZHdORjY2Z2IvMkI3a0VQbllWdncKej5N7MfXO+6MbxluZfM+Df75nBiNAEhrkvqX
-dHB6qKXScbQHQp9Dpsuv/eR+vaW3rMstOMkAas4RDCii1iDwv2MjXtrFcPKXCBiz
-/aiPvmn/7f/cXFw6pTSmLsF2AXGy2wepOEdIVQM4Gml7yVgVhQ3cK4QRGzPjW4Yf
-urNumFlJQ7a8NVFNK2C9a+bfIz0eUYcJrOOjBg==
------END AGE ENCRYPTED FILE-----
diff --git a/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-public b/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-public
deleted file mode 100644
index 7654a2c..0000000
--- a/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-public
+++ /dev/null
@@ -1 +0,0 @@
-U0eOxgLD3yK7PKzQRSZdJ3EH/UwVxPeYmfm42gYXsDg=
\ No newline at end of file
diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix
index a89e047..7f5bce5 100644
--- a/hosts/by-name/server3/configuration.nix
+++ b/hosts/by-name/server3/configuration.nix
@@ -67,6 +67,37 @@
         "/var/log"
       ];
     };
+    stalwart-mail = {
+      enable = true;
+      fqdn = "mail.vhack.eu";
+      admin = "admin@vhack.eu";
+      security = {
+        dkimKeys = let
+          loadKey = name: {
+            dkimPublicKey = builtins.readFile (./secrets/dkim + "/${name}-public");
+            dkimPrivateKeyPath = ./secrets/dkim + "/${name}-private.age";
+            keyAlgorithm = "ed25519-sha256";
+          };
+        in {
+          "mail.vhack.eu" = loadKey "mail.vhack.eu";
+        };
+        verificationMode = "strict";
+      };
+      openFirewall = true;
+      principals = [
+        {
+          class = "individual";
+          name = "soispha";
+          secret = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW";
+          email = [
+            "soispha@vhack.eu"
+            "abuse@vhack.eu"
+            "postmaster@vhack.eu"
+            "admin@vhack.eu"
+          ];
+        }
+      ];
+    };
     postgresql.enable = true;
     rust-motd.enable = true;
     users.enable = true;
diff --git a/hosts/by-name/server2/secrets/dkim/gen_key.sh b/hosts/by-name/server3/secrets/dkim/gen_key.sh
index 61da156..61da156 100755
--- a/hosts/by-name/server2/secrets/dkim/gen_key.sh
+++ b/hosts/by-name/server3/secrets/dkim/gen_key.sh
diff --git a/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-private.age b/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-private.age
new file mode 100644
index 0000000..8d66808
--- /dev/null
+++ b/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-private.age
@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEtVSWhiOVR1N1Q5bTBV
+NXRMMm42VlR5NitSWlhiSFpUZDZQSlloWlJ3ClA3ZEJSU2dDbmRVL0NMZlFOVU5J
+V1lEbDM0MlN3S3dZMUkyc1pQZVVpdDAKLT4gWDI1NTE5IFk4YnFFZmFLTlA0WENY
+K3FGME1CbUV4b0Z4V1FIRFBmNVphYmhCMG1QVkkKOGhFcnl3Y2hZQU8rY0ROMTlq
+d0lUVG8rRWpPNm4vWkw2WFROU3NJalgzWQotPiBzc2gtZWQyNTUxOSBweXU5Ymcg
+UDV4YUdZRWZieHN4RVU1WWEvdlFRVHpTL1V5Q3Nya1kvNjFxVytpS1NGawpUWnlR
+RmtQL1Z1ZFkwTC9ua3VVb05VQVlLemtuOCtLSkdxbFE5U2wyM0xZCi0+IFktZ3Jl
+YXNlCk56M0t2NXB3QVpjYTNFdkEvMmpDZXBPcWlLNXNWL2tPalNMM1g0KzBJL2xz
+T1gvTldRLzNxM25BOUhFZml3dFQKSnNMeHBXK3BrS2pWVU1uTkNKZ3BnaGt2Ci0t
+LSBuWURsUEYxRkx3bVQzU3JTcGlwUTFCZ09IRWIrNExUclhPSmdGdUtNOFlFCuKw
+PBh8U5VmweDGoY+xFXw/nqTqrKw9gZyUR2vbnHdnN9y8BToht7prsEaAn//DVivI
+GMFGMhbPYTumWnEiTho8ZqQv5tKiDdIGV/9YghzUdHtMnzfO7q5ztrFYx19qjgi/
+lW17WyY8Jk2DZIH3icYweTICx9IU5K11DNj6WgNGDe8/fAyfuHTekE8sZtHPDw76
+M3wkUZM=
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-public b/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-public
new file mode 100644
index 0000000..fa5d243
--- /dev/null
+++ b/hosts/by-name/server3/secrets/dkim/mail.vhack.eu-public
@@ -0,0 +1 @@
+U0eOxgLD3yK7PKzQRSZdJ3EH/UwVxPeYmfm42gYXsDg=
diff --git a/zones/vhack.eu/zone.nix b/zones/vhack.eu/zone.nix
index aa70e0c..0d296e0 100644
--- a/zones/vhack.eu/zone.nix
+++ b/zones/vhack.eu/zone.nix
@@ -67,6 +67,10 @@ in {
   MX = [
     {
       preference = 10;
+      exchange = "mail.vhack.eu.";
+    }
+    {
+      preference = 100;
       exchange = "mail.foss-syndicate.org.";
     }
   ];
@@ -86,8 +90,8 @@ in {
   DKIM = [
     {
       selector = "mail";
-      k = "rsa";
-      p = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8KXSkQD0ZFk3EetJ1qaoqevvdBoV93dRh5X2GCcc7hWBtLWtj31F3BefgfcrbdACVitdmJcRu7ed8qZMpxZM9pN5TrPMebAkjxMvMH554Wvi1FSwzuPSR724NHPKIgveU8pgiYffks5Mu1ejZmBvlnhXjpbDCEL1reWk+OtmB+QIDAQAB";
+      k = "ed25519";
+      p = "U0eOxgLD3yK7PKzQRSZdJ3EH/UwVxPeYmfm42gYXsDg=";
       s = ["email"];
       t = ["s"];
     }
@@ -140,7 +144,7 @@ in {
 
     source.CNAME = ["server2.vhack.eu."];
 
-    mail.CNAME = ["server2.vhack.eu."];
+    mail.CNAME = ["server3.vhack.eu."];
 
     dav.CNAME = ["server2.vhack.eu."];
     etebase.CNAME = ["server2.vhack.eu."];
author	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2025-04-01 16:13:51 +0200
committer	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2025-04-01 16:13:51 +0200
commit	9c72df2287ae8ddd4c3f93675f608e414ab5e8e7 (patch)
tree	8849d4176a26f3c613e9422e68298e0fe5e22cba
parent	zones/vhack.eu: Correct specify the SRV targets as fully-qualified (diff)
download	nixos-server-9c72df2287ae8ddd4c3f93675f608e414ab5e8e7.zip