about summary refs log tree commit diff stats
Commit message (Collapse)AuthorAge
* hosts/server3: Use supported password hashing function for soispha@vhack.eu stalwartBenedikt Peetz14 hours
|
* hosts/server3: Use another passwordBenedikt Peetz15 hours
|
* hosts/server3: Use correct mail password for soisphaBenedikt Peetz15 hours
|
* modules/stalwart-mail: Use correct redis groupBenedikt Peetz16 hours
|
* hosts/server2: FormatBenedikt Peetz7 days
|
* tests/email-dns/secrets/dkim/gen_key.sh: Add shellcheck shellBenedikt Peetz7 days
|
* {hosts/server3,zones/vhack.eu}: Activate stalwart-mail on server3 for soisphaBenedikt Peetz7 days
|
* zones/vhack.eu: Correct specify the SRV targets as fully-qualifiedBenedikt Peetz7 days
|
* zones/vhack.eu: Set the SOA name server entry to a real domainBenedikt Peetz7 days
|
* zones/vhack.eu: Make it obvious, that the serial number must be changedBenedikt Peetz7 days
| | | | | | | The comment alone would probably suffice, but having a convenient function that makes it obvious *what* part of the serial number you are actually supposed to change seems quite useful, when trying to reduce the possibilities of forgetting it.
* tests/dns: Avoid tracing the name-server interfacesBenedikt Peetz7 days
|
* zones/vhack.eu: Also revert the mail server changesBenedikt Peetz9 days
|
* {hosts/server2,modules/mail}: Re-active the old mail serverBenedikt Peetz9 days
| | | | | | | | | | Running two mail-servers on one system is a total /mess/. Both try to bind to the same ports, the old stack consists of **5** different systemd services whilst stalwart-mail's systemd service simply refuses to stop, etc. I'm confident that it can work, but it would probably be best to deploy the new mail-server on server3.
* modules/mail: Avoid changing the `virtualMail` user uidBenedikt Peetz9 days
| | | | | | | | We would need to set the `vmailUID` option to this value and even then some parts of SNM would still hardcode the default of 5000. Considering that we are in the process of phasing out SNM, this does not seem to be a worthwhile endeavour.
* modules/mail: Actually set the uid/gid of the virtualMail userBenedikt Peetz9 days
|
* zones/vhack.eu: Use correct `eu` tld instead of `org`Benedikt Peetz9 days
|
* modules/stalwart-mail: Assign uids and gids to the stalwart usersBenedikt Peetz10 days
|
* modules/constants: Enforce the 0 to 400 limitBenedikt Peetz10 days
|
* modules/constants: Correctly assign each uid so that none is greater 400Benedikt Peetz10 days
| | | | | | | | The uid ranges from 400 upwards are reserved for things that allocate them dynamic during runtime (like systemd). Our users would than get clobbered, thus we avoid that range. BREAKING CHANGE: Well, we'll need to change all uid of the files owned by the respective users.
* modules/constants: Dry gid definitions by inheriting the uidsBenedikt Peetz10 days
|
* hosts/server2: Use the correct path to the DKIM keysBenedikt Peetz10 days
|
* hosts/server2: Setup stalwalt-mail on mail.vhack.eu for soispha@vhack.euBenedikt Peetz10 days
| | | | | | | | We need to actually test stalwart out in the real world, because the test can never actually capture all the weird things people do with their mail setup. Refs: #6ea08aa
* tests/email-dns/secrets: Re-key secrets, so that soispha and sils can read themBenedikt Peetz12 days
| | | | | | Doing a full `ragenix --rekey --idenitity <soispha.age.key>` run will fail, if there are secrets that she cannot decrypt. Thus encrypt the test secrets with all keys.
* flake.lock: UpdateBenedikt Peetz12 days
|
* zones/vhack.eu: Fix cyclic CNAME entry for `source.vhack.eu`Benedikt Peetz2025-03-21
|
* zones/vhack.eu: Add the `source.vhack.eu` dns entry for the redirectBenedikt Peetz2025-03-21
|
* zones/vhack.eu: Update to actually be a drop-in replacement for netcup's serversBenedikt Peetz2025-03-21
| | | | | Currently, our NS record was missing, and we had an MX record that pointed to `mail.foss-syndicate.org.vhack.eu`.
* zones: Provide a single entry point for all zonesBenedikt Peetz2025-03-11
|
* zones/vhack.eu: Set correct CNAME recordsBenedikt Peetz2025-03-10
|
* modules/system-info: Include port 53 (dns) in port -> name mappingsBenedikt Peetz2025-03-10
|
* {hosts,zones}: Init dns zone for vhack.euBenedikt Peetz2025-03-10
|
* {modules/system-info,scripts/system_info}: InitBenedikt Peetz2025-03-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This collects relevant information for each host in an informative markdown file. An example (generated via `./scripts/system_info.sh`): # server2 ## Virtual Hosts etebase.vhack.eu: dav.vhack.eu gallery.s-schoeffel.de git.foss-syndicate.org invidious-router.vhack.eu: video.fosswelt.org invidious-router.sils.li issues.foss-syndicate.org libreddit.vhack.eu redlib.vhack.eu source.foss-syndicate.org source.vhack.eu ## Open ports TCP 22: ssh TCP 25: mail-smtp TCP 80: http TCP 443: https TCP 465: mail-smtp-tls TCP 993: mail-imap-tls TCP 995: mail-pop3-tls # server3 ## Virtual Hosts b-peetz.de mastodon.vhack.eu matrix.vhack.eu miniflux.foss-syndicate.org: rss.foss-syndicate.org rss.vhack.eu miniflux.vhack.eu openpgpkey.b-peetz.de openpgpkey.s-schoeffel.de openpgpkey.sils.li openpgpkey.vhack.eu peertube.vhack.eu trinitrix.vhack.eu vhack.eu ## Open ports TCP 22: ssh TCP 80: http TCP 443: https TCP 64738: ??? UDP 64738: ???
* hosts/server2: Use new back configBenedikt Peetz2025-03-09
|
* pkgs/back/package.nix: Include the html templates in the build sourceBenedikt Peetz2025-03-09
|
* pkgs/back/config: Also try to open a repo if a directory with `.git` existsBenedikt Peetz2025-03-09
|
* pkgs/back: Do not store repositories in configBenedikt Peetz2025-03-09
| | | | | Otherwise, back will need to be restarted every time a new repository is added or removed.
* {modules,tests}/back: Update to deal with newest backBenedikt Peetz2025-03-09
|
* pkgs/back/assets/style.css: Format with prettierBenedikt Peetz2025-03-09
|
* pkgs/back/README.md: Update to reflect current statusBenedikt Peetz2025-03-09
|
* pkgs/back: Support listing all repos via the `/` pathBenedikt Peetz2025-03-09
| | | | | | | | | | This change required porting all webhandling from rocket to hyper, because we needed fine grained control over the path the user requested. This should also improve the memory and resources footprint because hyper is more lower level. I also changed all of the templates from `format!()` calls to a real templating language because I needed to touch most code paths anyway.
* scripts/get_dns.sh: InitBenedikt Peetz2025-03-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This script is useful, when migrating from a hosted DNS server to our own. An example output looks like this (for `get_dns.sh b-peetz.de`): ``` (A) 92.60.38.179 [b-peetz.de] (AAAA) 2a03:4000:33:25b::4f4e [b-peetz.de] (CAA) 0 issue "letsencrypt.org" [b-peetz.de] (CNAME) <Not set> [b-peetz.de] (DNAME) <Not set> [b-peetz.de] (MX) 10 mail.foss-syndicate.org. [b-peetz.de] (NS) second-dns.netcup.net. [b-peetz.de] (NS) third-dns.netcup.net. [b-peetz.de] (NS) root-dns.netcup.net. [b-peetz.de] (SOA) root-dns.netcup.net. dnsadmin.netcup.net. 2025012510 28800 7200 1209600 86400 [b-peetz.de] (SRV) <Not set> [b-peetz.de] (TXT) "v=spf1 +mx -all" [b-peetz.de] (PTR) <Not set> [b-peetz.de] (DNSKEY) <Not set> [b-peetz.de] (DS) <Not set> [b-peetz.de] (SSHFP) <Not set> [b-peetz.de] (TLSA) <Not set> [b-peetz.de] (OPENPGPKEY) <Not set> [b-peetz.de] (SVCB) <Not set> [b-peetz.de] (HTTPS) <Not set> [b-peetz.de] (TXT) "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZ0lbL3BHTuWmiRj/8ZqbEsKK/yBrhXeKDmu8Oj1IGGbQCiqxGkkrdUMzRrZD+6hH0OWjppqc4Sw/oC8ilgSzSntYzkygGjM/7uBLhWVgLjcO7ovsoF7GIldhXcQSD/3hbI0QOoMV2/w7dEZmbYsulw6b2m8FbSAHPn+RvGmwjzQIDAQAB" [mail._domainkey.b-peetz.de] (TXT) "v=DMARC1; p=reject" [_dmarc.b-peetz.de] ```
* modules/stalwart-mail: Remove now unneeded `allowInsecureSmtp` optionBenedikt Peetz2025-03-09
|
* tests/email-dns: InitBenedikt Peetz2025-03-09
| | | | | | | This test is somewhat involved, but tries to exercise our full mail handling capabilities. It effectively only tests that alice can send a message to bob, but it checks nearly all security mechanisms (DNSSEC is currently still missing).
* pkgs/fetchmail-common-name: Patch fetchmail to accept certificates without ↵Benedikt Peetz2025-03-09
| | | | | | common name Pebble gives you SAN only certificates.
* test/email-ip: Rename from the general `email` testBenedikt Peetz2025-03-09
|
* modules/stalwart-mail-free: Remove all `security` dependent checks if it's nullBenedikt Peetz2025-03-09
|
* pkgs/stalwart-mail-free: Avoid running `stalwart-mail`'s testsBenedikt Peetz2025-03-09
|
* pkgs/stalwart-mail-free: Update `cargoHash`Benedikt Peetz2025-03-09
|
* modules/stalwart-mail: Capitalize default mailboxesBenedikt Peetz2025-03-09
| | | | This seems to be somewhat of a standart.
* modules/stalwart-mail: Also listen on :25 without SSL but with STARTTLSBenedikt Peetz2025-03-09
| | | | This is important, so that other MTA can send us mail.