about summary refs log tree commit diff stats
Commit message (Collapse)AuthorAge
* modules/stalwart-mail: Add recommended proxy settings for stalwarts-proxyBenedikt Peetz24 hours
| | | | This includes setting things, like setting the `X-Forwarded-For` header.
* modules/constants: Also add a user to each group, so that duplicated gids ↵Benedikt Peetz24 hours
| | | | are avoided
* tests/email-http: Use the factored out DNS serverBenedikt Peetz24 hours
|
* hosts/server2: Use the internal stalwart directoryBenedikt Peetz24 hours
|
* tests/email-http: Test the http self-service availabilityBenedikt Peetz24 hours
|
* modules/stalwart-mail: Don't restart the systemd serviceBenedikt Peetz24 hours
| | | | | | Restarting might be useful, if stalwart is actually _running_ in prod, but currently the constant restart makes it very difficult to debug (or even stop) the service.
* modules/stalwart-mail: Enable the http self-service interfaceBenedikt Peetz24 hours
|
* modules/nginx: Set the "acme" group as group of the "acme" userBenedikt Peetz24 hours
| | | | | For some reason, this is not done already. Setting this prevents an assertion being thrown, that the "acme" user does not have a group.
* modules/stalwart-mail: Allow both nginx and stalwart-mail access to the certBenedikt Peetz24 hours
| | | | | This is needed for the http challenge (and for the potential to use nginx as a proxy in the future.)
* modules/stalwart-mail: Explicitly list out valid password hashesBenedikt Peetz24 hours
| | | | | | If a password hash does not match stalwart's know ones, it will just treat it as plaintext. This is obviously very bad, and should be avoided.
* modules/stalwart-mail: Make `cfg.principals` nullableBenedikt Peetz24 hours
| | | | This makes it possible to use the internal storage
* modules/stalwart-mail: Use correct group name for `redis-stalwart-mail`Benedikt Peetz24 hours
|
* pkgs/stalwart-mail-free: Update package hash, as it changedBenedikt Peetz27 hours
| | | | This has to do with the underlying stalwart-mail update.
* hosts/server2: Setup sharkeyBenedikt Peetz39 hours
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Server2 is currently not so much under load, as such it seems better to split the load. # server2 ## Virtual Hosts etebase.vhack.eu: dav.vhack.eu gallery.s-schoeffel.de git.foss-syndicate.org invidious-router.vhack.eu: video.fosswelt.org invidious-router.sils.li issues.foss-syndicate.org libreddit.vhack.eu nextcloud.vhack.eu # <-- This redlib.vhack.eu sharkey.vhack.eu # <-- And this are the “only” really heavy services here. source.foss-syndicate.org source.vhack.eu ## Open ports TCP 22: ssh TCP 25: mail-smtp TCP 53: dns TCP 80: http TCP 443: https TCP 465: mail-smtp-tls TCP 993: mail-imap-tls TCP 995: mail-pop3-tls TCP 10222: taskchampion-sync UDP 53: dns # server3 ## Virtual Hosts b-peetz.de mail.vhack.eu mastodon.vhack.eu matrix.vhack.eu miniflux.foss-syndicate.org: rss.foss-syndicate.org rss.vhack.eu miniflux.vhack.eu openpgpkey.b-peetz.de openpgpkey.s-schoeffel.de openpgpkey.sils.li openpgpkey.vhack.eu peertube.vhack.eu trinitrix.vhack.eu vhack.eu ## Open ports TCP 22: ssh TCP 25: <port is 'mail-smtp' but service 'vhack.mail' is not enabled.> TCP 53: dns TCP 80: http TCP 443: https TCP 465: <port is 'mail-smtp-tls' but service 'vhack.mail' is not enabled.> TCP 993: <port is 'mail-imap-tls' but service 'vhack.mail' is not enabled.> TCP 4190: ??? TCP 64738: ??? UDP 53: dns UDP 64738: ???
* test/sharkey: InitBenedikt Peetz39 hours
| | | | | | | | We can't test that much, as user creation and general configuration seems to be locked behind completing a point and click adventure, once Sharkey is actually setup. As such, we simply test, that Sharkey starts and provides its default HTML.
* modules/sharkey: InitBenedikt Peetz39 hours
|
* pkgs/sharkey: InitBenedikt Peetz39 hours
| | | | This is largely based on: https://github.com/sodiboo/system/blob/b63c7b27f49043e8701b3ff5e1441cd27d5a2fff/sharkey/package.nix
* tests/{common,email-dns}: Move last part of acme and dns handling to commonBenedikt Peetz39 hours
| | | | This makes re-using it even easier.
* tests/email-dns: Factor out all of the secrets/acme stuff into a common dirBenedikt Peetz39 hours
| | | | This makes it easier to re-use this test data for various tests.
* update.sh: Also run `nix flake update`Benedikt Peetz2 days
|
* flake.lock: UpdateBenedikt Peetz2 days
|
* zones/vhack.eu: Add a taskchampion subdomainBenedikt Peetz13 days
|
* modules/system-info: Register taskchampion portBenedikt Peetz13 days
|
* modules/taskchampion-sync: Persist data directoryBenedikt Peetz13 days
|
* hosts/server2: Enable taskwarrior-syncBenedikt Peetz13 days
|
* modules/taskchampion-sync: Add {u,g}ids to {group,user}Benedikt Peetz13 days
|
* {modules,test}/taskchampion-sync: InitBenedikt Peetz13 days
|
* zones/vhack.eu: add nextcloud subdomainSilas Schöffel2025-04-07
|
* nextcloud: init on server2Silas Schöffel2025-04-07
|
* hosts/server2: FormatBenedikt Peetz2025-04-01
|
* tests/email-dns/secrets/dkim/gen_key.sh: Add shellcheck shellBenedikt Peetz2025-04-01
|
* {hosts/server3,zones/vhack.eu}: Activate stalwart-mail on server3 for soisphaBenedikt Peetz2025-04-01
|
* zones/vhack.eu: Correct specify the SRV targets as fully-qualifiedBenedikt Peetz2025-04-01
|
* zones/vhack.eu: Set the SOA name server entry to a real domainBenedikt Peetz2025-04-01
|
* zones/vhack.eu: Make it obvious, that the serial number must be changedBenedikt Peetz2025-04-01
| | | | | | | The comment alone would probably suffice, but having a convenient function that makes it obvious *what* part of the serial number you are actually supposed to change seems quite useful, when trying to reduce the possibilities of forgetting it.
* tests/dns: Avoid tracing the name-server interfacesBenedikt Peetz2025-04-01
|
* zones/vhack.eu: Also revert the mail server changesBenedikt Peetz2025-03-30
|
* {hosts/server2,modules/mail}: Re-active the old mail serverBenedikt Peetz2025-03-30
| | | | | | | | | | Running two mail-servers on one system is a total /mess/. Both try to bind to the same ports, the old stack consists of **5** different systemd services whilst stalwart-mail's systemd service simply refuses to stop, etc. I'm confident that it can work, but it would probably be best to deploy the new mail-server on server3.
* modules/mail: Avoid changing the `virtualMail` user uidBenedikt Peetz2025-03-30
| | | | | | | | We would need to set the `vmailUID` option to this value and even then some parts of SNM would still hardcode the default of 5000. Considering that we are in the process of phasing out SNM, this does not seem to be a worthwhile endeavour.
* modules/mail: Actually set the uid/gid of the virtualMail userBenedikt Peetz2025-03-30
|
* zones/vhack.eu: Use correct `eu` tld instead of `org`Benedikt Peetz2025-03-30
|
* modules/stalwart-mail: Assign uids and gids to the stalwart usersBenedikt Peetz2025-03-29
|
* modules/constants: Enforce the 0 to 400 limitBenedikt Peetz2025-03-29
|
* modules/constants: Correctly assign each uid so that none is greater 400Benedikt Peetz2025-03-29
| | | | | | | | The uid ranges from 400 upwards are reserved for things that allocate them dynamic during runtime (like systemd). Our users would than get clobbered, thus we avoid that range. BREAKING CHANGE: Well, we'll need to change all uid of the files owned by the respective users.
* modules/constants: Dry gid definitions by inheriting the uidsBenedikt Peetz2025-03-29
|
* hosts/server2: Use the correct path to the DKIM keysBenedikt Peetz2025-03-29
|
* hosts/server2: Setup stalwalt-mail on mail.vhack.eu for soispha@vhack.euBenedikt Peetz2025-03-29
| | | | | | | | We need to actually test stalwart out in the real world, because the test can never actually capture all the weird things people do with their mail setup. Refs: #6ea08aa
* tests/email-dns/secrets: Re-key secrets, so that soispha and sils can read themBenedikt Peetz2025-03-27
| | | | | | Doing a full `ragenix --rekey --idenitity <soispha.age.key>` run will fail, if there are secrets that she cannot decrypt. Thus encrypt the test secrets with all keys.
* flake.lock: UpdateBenedikt Peetz2025-03-27
|
* zones/vhack.eu: Fix cyclic CNAME entry for `source.vhack.eu`Benedikt Peetz2025-03-21
|
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-04-24 10:37:21 +0000