hosts/server2: Setup stalwalt-mail on mail.vhack.eu for soispha@vhack.eu

We need to actually test stalwart out in the real world, because the test can never actually capture all the weird things people do with their mail setup. Refs: #6ea08aa
author: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2025-03-21 12:26:14 +0100
committer: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2025-03-29 15:13:15 +0100
commit: 5c28c5d242c60c0fdceffa88a33c65d540e1c8b7 (patch)
tree: a65b4547f7cc73f08e947d209b929452a3e7b2f5
parent: tests/email-dns/secrets: Re-key secrets, so that soispha and sils can read them (diff)
download: nixos-server-5c28c5d242c60c0fdceffa88a33c65d540e1c8b7.zip
6 files changed, 97 insertions, 14 deletions
diff --git a/hosts/by-name/server2/configuration.nix b/hosts/by-name/server2/configuration.nix
index 5fe635a..cbc1ff3 100644
--- a/hosts/by-name/server2/configuration.nix
+++ b/hosts/by-name/server2/configuration.nix
@@ -57,6 +57,37 @@
       enable = true;
       fqdn = "mail.foss-syndicate.org";
     };
+    stalwart-mail = {
+      enable = true;
+      fqdn = "mail.vhack.eu";
+      admin = "admin@vhack.eu";
+      security = {
+        dkimKeys = let
+          loadKey = name: {
+            dkimPublicKey = builtins.readFile (./secrets/dkim + "/${name}/public");
+            dkimPrivateKeyPath = ./secrets/dkim + "/${name}/private.age";
+            keyAlgorithm = "ed25519-sha256";
+          };
+        in {
+          "mail.vhack.eu" = loadKey "vhack.eu";
+        };
+        verificationMode = "strict";
+      };
+      openFirewall = true;
+      principals = [
+        {
+          class = "individual";
+          name = "soispha";
+          secret = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW";
+          email = [
+            "soispha@vhack.eu"
+            "abuse@vhack.eu"
+            "postmaster@vhack.eu"
+            "admin@vhack.eu"
+          ];
+        }
+      ];
+    };
     nginx = {
       enable = true;
       redirects = {
diff --git a/hosts/by-name/server2/secrets/dkim/gen_key.sh b/hosts/by-name/server2/secrets/dkim/gen_key.sh
new file mode 100755
index 0000000..61da156
--- /dev/null
+++ b/hosts/by-name/server2/secrets/dkim/gen_key.sh
@@ -0,0 +1,33 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -p rage -p openssl -p bash -i bash --impure
+
+# shellcheck shell=bash
+
+cd "$(dirname "$0")" || {
+    echo "No basedir?!"
+    exit 1
+}
+
+key_name="$1"
+[ -z "$key_name" ] && {
+    echo "Usage: $0 KEY_NAME IDENTITY"
+    exit 2
+}
+
+openssl genpkey \
+    -algorithm ed25519 \
+    -out - |
+    tee >(openssl pkey \
+        -pubout \
+        -out - |
+        openssl asn1parse \
+            -offset 12 \
+            -noout \
+            -out - |
+        base64 --wrap 0 >"$key_name-public") |
+    rage --encrypt \
+        --armor \
+        --recipient "age1mshh4ynzhhzhff25tqwkg4j054g3xwrfznh98ycchludj9wjj48qn2uffn" \
+        >"$key_name-private.age"
+
+# vim: ft=sh
diff --git a/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-private.age b/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-private.age
new file mode 100644
index 0000000..586a266
--- /dev/null
+++ b/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-private.age
@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5TXdkcGE3VDhPVFd1aThX
+dno3RWtMbE9vR1NuQjJXR003NmxrbllSTVhVCit5aExOb2NVSzFKZWswNlQ3R3ds
+Rkt3QjU4dlUyVEdQaWFFbU9iejJOV28KLT4gWDI1NTE5IFFoVjFhMWlzUUlPWUFK
+cEcwVlQrbzhkRjdEU2FoNmJ2MGpkc1NLcG5zZ1EKNnc0R3BGR0FSQWUvTlIyTk94
+ME82VDRnTytwZnAvVUl6bEFzSTFNUm5BQQotPiBzc2gtZWQyNTUxOSBYUG94RFEg
+eFRmUlY2QUhUdUNWQ0xMai9IMEFJZWQxWG9MUktDMnIycnNIS3NELzFGMApxbkx3
+ZlFJTzVNTjlKSzNkOW9reXFYM04xQThQNGgvblNBRUJyZk1HUUZZCi0+IHozLWdy
+ZWFzZSBuJT0Ka3NhLzVpY0Z0TW5HckJYUEhpZWlRazFjbzZEMTBwanRFdVA2WWNx
+SUpLQitzNUlCQlpQQkZrZDRvbFdBMUgzVApnZ3MyMzF6dlRKZmxmd3NQejJJeE1q
+YTVvUExxTTVIVkNNWldyWkY4b3cKLS0tIHYyRWV4WEo4RW1aK3E0MkNucnp1SVVQ
+ZHdORjY2Z2IvMkI3a0VQbllWdncKej5N7MfXO+6MbxluZfM+Df75nBiNAEhrkvqX
+dHB6qKXScbQHQp9Dpsuv/eR+vaW3rMstOMkAas4RDCii1iDwv2MjXtrFcPKXCBiz
+/aiPvmn/7f/cXFw6pTSmLsF2AXGy2wepOEdIVQM4Gml7yVgVhQ3cK4QRGzPjW4Yf
+urNumFlJQ7a8NVFNK2C9a+bfIz0eUYcJrOOjBg==
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-public b/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-public
new file mode 100644
index 0000000..7654a2c
--- /dev/null
+++ b/hosts/by-name/server2/secrets/dkim/mail.vhack.eu-public
@@ -0,0 +1 @@
+U0eOxgLD3yK7PKzQRSZdJ3EH/UwVxPeYmfm42gYXsDg=
+\ No newline at end of file
diff --git a/modules/by-name/ma/mail/module.nix b/modules/by-name/ma/mail/module.nix
index 55f2fb8..4df3b1d 100644
--- a/modules/by-name/ma/mail/module.nix
+++ b/modules/by-name/ma/mail/module.nix
@@ -5,9 +5,9 @@
 }: let
   cfg = config.vhack.mail;
   all_admins = [
-    "sils@vhack.eu"
-    "soispha@vhack.eu"
-    "nightingale@vhack.eu"
+    # "sils@vhack.eu"
+    # "soispha@vhack.eu"
+    # "nightingale@vhack.eu"
   ];
 in {
   options.vhack.mail = {
@@ -76,9 +76,9 @@ in {
       useFsLayout = true;
 
       extraVirtualAliases = {
-        "abuse@vhack.eu" = all_admins;
-        "postmaster@vhack.eu" = all_admins;
-        "admin@vhack.eu" = all_admins;
+        # "abuse@vhack.eu" = all_admins;
+        # "postmaster@vhack.eu" = all_admins;
+        # "admin@vhack.eu" = all_admins;
       };
 
       mailDirectory = "/var/lib/mail/vmail";
@@ -100,7 +100,7 @@ in {
       certificateFile = "/var/lib/acme/${cfg.fqdn}/fullchain.pem";
 
       domains = [
-        "vhack.eu"
+        # "vhack.eu"
 
         "s-schoeffel.de"
         "b-peetz.de"
@@ -114,9 +114,9 @@ in {
         "sils@vhack.eu" = {
           hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm";
         };
-        "soispha@vhack.eu" = {
-          hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW";
-        };
+        # "soispha@vhack.eu" = {
+        #   hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW";
+        # };
 
         "benedikt.peetz@b-peetz.de" = {
           hashedPassword = "$2b$05$MfET8utot2OolPZNASqoDe4VXNoG2chnEWhdfQ2E92mit0TvI2gBy";
diff --git a/zones/vhack.eu/zone.nix b/zones/vhack.eu/zone.nix
index 78f2f13..5f65034 100644
--- a/zones/vhack.eu/zone.nix
+++ b/zones/vhack.eu/zone.nix
@@ -31,7 +31,7 @@
   MX = [
     {
       preference = 10;
-      exchange = "mail.foss-syndicate.org.";
+      exchange = "mail.vhack.org.";
     }
   ];
 
@@ -77,7 +77,7 @@
       priority = 0;
       weight = 1;
       port = 993;
-      target = "mail.foss-syndicate.org";
+      target = "mail.vhack.org";
     }
     {
       service = "pop3s";
@@ -85,7 +85,7 @@
       priority = 0;
       weight = 1;
       port = 995;
-      target = "mail.foss-syndicate.org";
+      target = "mail.vhack.org";
     }
     {
       service = "smtps";
@@ -93,7 +93,7 @@
       priority = 0;
       weight = 1;
       port = 465;
-      target = "mail.foss-syndicate.org";
+      target = "mail.vhack.org";
     }
   ];
   # }}}
@@ -104,6 +104,8 @@
 
     source.CNAME = ["server2.vhack.eu."];
 
+    mail.CNAME = ["server2.vhack.eu."];
+
     dav.CNAME = ["server2.vhack.eu."];
     etebase.CNAME = ["server2.vhack.eu."];
     git.CNAME = ["server2.vhack.eu."];
author	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2025-03-21 12:26:14 +0100
committer	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2025-03-29 15:13:15 +0100
commit	5c28c5d242c60c0fdceffa88a33c65d540e1c8b7 (patch)
tree	a65b4547f7cc73f08e947d209b929452a3e7b2f5
parent	tests/email-dns/secrets: Re-key secrets, so that soispha and sils can read them (diff)
download	nixos-server-5c28c5d242c60c0fdceffa88a33c65d540e1c8b7.zip