Jaaj-San/pointfichiers
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Jaaj-San:499d34119d55a552e6d9b07fd196da07a3dc3e99
Branches Tags
Jaaj-San:main
Jaaj-San:feat/ovh-config
Jaaj-San:feat/nix
..
compare: Jaaj-San:ed4e4b1f2c93b1e3456bb556c1e24b543067cc3c
Branches Tags
Jaaj-San:main
Jaaj-San:feat/ovh-config
Jaaj-San:feat/nix

No commits in common. "499d34119d55a552e6d9b07fd196da07a3dc3e99" and "ed4e4b1f2c93b1e3456bb556c1e24b543067cc3c" have entirely different histories.
499d34119d ... ed4e4b1f2c

4 changed files with 62 additions and 55 deletions
Show stats Expand all files Collapse all files

9
secrets/OVHCloud/default.yaml
View file

@ -43,8 +43,8 @@ outline:
penpot: penpot:
SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str] SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str]
OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str] OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str]
SMTP_HOST: ENC[AES256_GCM,data:J7D9fTRW1iANdPecxr0=,iv:LtTsRC144slQzt17DmOWL84NJJBR8A/emopAo8Qu1MM=,tag:6wUO1j0T7xAdkdkD1Xo2Cw==,type:str] SMTP_HOST: ENC[AES256_GCM,data:Gk9QnKvmxLypHv/vqVI=,iv:wHZmUledOjyq7B4IR4EXop2cfC8lo41kP1oJDWKvsqk=,tag:Vh0pdYktKSSTGlY9mB/SfA==,type:str]
SMTP_PORT: ENC[AES256_GCM,data:fG4=,iv:PuMglwRdX45zZJaqsWfPxhuWpjpeOYL3M7bpj4g4GNg=,tag:K52aL+CGtzBjfPKKOCDm6A==,type:str] SMTP_PORT: ENC[AES256_GCM,data:Lnh0,iv:gCLwzWrk6hMUZjL1RGi51dS2TULtCfYnlpAOJBVBen0=,tag:fv7lwt36JpKhRjXF41Wc8g==,type:str]
SMTP_USERNAME: ENC[AES256_GCM,data:VW/cB/BIisGfhwWNLNvRCvWGYI8=,iv:u+nAfJUfMZtthe18DPy4yBEWcbh52ZrUsbaOW8vnbVw=,tag:PLq47UuvDzd/X1aoCtRJjw==,type:str] SMTP_USERNAME: ENC[AES256_GCM,data:VW/cB/BIisGfhwWNLNvRCvWGYI8=,iv:u+nAfJUfMZtthe18DPy4yBEWcbh52ZrUsbaOW8vnbVw=,tag:PLq47UuvDzd/X1aoCtRJjw==,type:str]
SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str] SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str]
POSTGRES_USER: ENC[AES256_GCM,data:Uk7czFf4,iv:2PGek4z7UJzvs6X4Jq8wx+HkUFYGtq0kVJd5ba3M24E=,tag:QysuNOULNHBPdheBH6CRDA==,type:str] POSTGRES_USER: ENC[AES256_GCM,data:Uk7czFf4,iv:2PGek4z7UJzvs6X4Jq8wx+HkUFYGtq0kVJd5ba3M24E=,tag:QysuNOULNHBPdheBH6CRDA==,type:str]
@ -55,7 +55,6 @@ penpot:
STORAGE_ASSETS_S3_ENDPOINT: ENC[AES256_GCM,data:mZjvBvNZC28jUYrK8e6HHixC4GU=,iv:mppmZn7nV/gckB3+GonwQQT5U14qg1FyEnQ92pGDSZI=,tag:rAePtPdd6o+EDC0MrAToKw==,type:str] STORAGE_ASSETS_S3_ENDPOINT: ENC[AES256_GCM,data:mZjvBvNZC28jUYrK8e6HHixC4GU=,iv:mppmZn7nV/gckB3+GonwQQT5U14qg1FyEnQ92pGDSZI=,tag:rAePtPdd6o+EDC0MrAToKw==,type:str]
STORAGE_ASSETS_S3_BUCKET: ENC[AES256_GCM,data:nfcjtCQVWhdT1UUYPw==,iv:mF2Esw1GvWAjkabvDde63bAq4V5pXNhbhqsK1dkg5sg=,tag:uE6qKxKSJzYtHWxPMiK3Lw==,type:str] STORAGE_ASSETS_S3_BUCKET: ENC[AES256_GCM,data:nfcjtCQVWhdT1UUYPw==,iv:mF2Esw1GvWAjkabvDde63bAq4V5pXNhbhqsK1dkg5sg=,tag:uE6qKxKSJzYtHWxPMiK3Lw==,type:str]
stalwart-mail: stalwart-mail:
ACME_SECRET: ENC[AES256_GCM,data:maC7iAMiwFCYXD15IEqaCVi9TqPAIJ15T/yJWSwo4dW3mdqXmItS4hoS2cI=,iv:fWDase9PM2riakQDUiuCTa+W9W4bf7I39k/WSbX4RjI=,tag:+OixerP8JWAjGeh8U+g32g==,type:str]
ADMIN_SECRET: ENC[AES256_GCM,data:4ytiKxJ55Wm9p6M=,iv:dl1BCtxOu4o+2qC6ZlUw8cluoqDjp16/SN9bhGneRHs=,tag:qEgWrYHQJHDjR2PwK9y8UA==,type:str] ADMIN_SECRET: ENC[AES256_GCM,data:4ytiKxJ55Wm9p6M=,iv:dl1BCtxOu4o+2qC6ZlUw8cluoqDjp16/SN9bhGneRHs=,tag:qEgWrYHQJHDjR2PwK9y8UA==,type:str]
shadowsocks: shadowsocks:
password: ENC[AES256_GCM,data:IdAvKXKckwvZUetkYSFTIPxd8nrwm13Ngc3KVDSmiW3AE4Rhmjk2VHjdUyQ=,iv:LVeQcL7XIEQyMTsXpXIROGte2+Z9+7FpemfiwhA0Pw0=,tag:qt+8jgN5UqwMeCV+D3stEQ==,type:str] password: ENC[AES256_GCM,data:IdAvKXKckwvZUetkYSFTIPxd8nrwm13Ngc3KVDSmiW3AE4Rhmjk2VHjdUyQ=,iv:LVeQcL7XIEQyMTsXpXIROGte2+Z9+7FpemfiwhA0Pw0=,tag:qt+8jgN5UqwMeCV+D3stEQ==,type:str]
@ -92,8 +91,8 @@ sops:
MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-10T18:55:35Z" lastmodified: "2024-11-07T22:25:47Z"
mac: ENC[AES256_GCM,data:yoir0/xLbAksjcq61Fsnj0WJub1BkCohTngZIX3Ol8lT+5Fzn3uPPsheadgWKXYirMVAxm5HtvAiLetxbI1G4vFvu+BTiUhDvaV1VjS32JcJrDuvKzgdLgKUbE+bbAXobMduO7UAdzriXzTYJa3JpcSY6YtveyMiXB72Spqza04=,iv:KvYH1r9qNLr0eJF3kpIfvVESDr/EPb2vC5oOUK+x0u8=,tag:vJkGgBDnZMtgOlYztu7plw==,type:str] mac: ENC[AES256_GCM,data:6LynPNzengBoVm5fPtxHuUxbvMy7Vaf6Qd/ikUcu8/Af3oPhxeBTwN0aOje+oqAVuYFsNLCsf1GGCkZ+U1mK+Fr777vSsl/+T5iG7hcjTht+Gtq2sK93qiGB6rdYrHzuJ6G3hHR1Xl/OGW7TsYj9+2PJvV/Hr18qElr3VDBDJD0=,iv:EQe5Q4FDn9Di4L76eIw/wU+44iCeTS7lrJlPfZvLOdM=,tag:sEYyV4+jN8yEKPfYgrSemg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.1

5
services/authelia/configuration.yml
View file

@ -76,12 +76,9 @@ storage:
notifier: notifier:
disable_startup_check: true disable_startup_check: true
smtp: smtp:
address: 'smtp://mail.gasdev.fr:25' address: 'smtp://smtp.gasdev.fr:25'
username: 'postmaster@gasdev.fr' username: 'postmaster@gasdev.fr'
sender: 'Authelia <authelia@gasdev.fr>' sender: 'Authelia <authelia@gasdev.fr>'
identifier: 'mail.gasdev.fr'
tls:
server_name: 'mail.gasdev.fr'
log: log:
level: 'info' level: 'info'

2
services/outline/default.nix
View file

@ -28,7 +28,7 @@
}; };
smtp = { smtp = {
host = "mail.gasdev.fr"; host = "smtp.gasdev.fr";
port = 465; port = 465;
username = "postmaster@gasdev.fr"; username = "postmaster@gasdev.fr";
passwordFile = config.sops.secrets."outline/SMTP_PASSWORD".path; passwordFile = config.sops.secrets."outline/SMTP_PASSWORD".path;

101
services/stalwart-mail/default.nix
View file

@ -2,73 +2,51 @@
domain = "gasdev.fr"; domain = "gasdev.fr";
in { in {
sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail"; sops.secrets."stalwart-mail/ADMIN_SECRET".owner = "stalwart-mail";
sops.secrets."stalwart-mail/ACME_SECRET".owner = "stalwart-mail";
services.caddy.virtualHosts."mailadmin.${domain}" = { services.caddy.virtualHosts."${domain}".extraConfig = ''
extraConfig = '' redir https://www.gasdev.fr
reverse_proxy http://127.0.01:8080 '';
'';
serverAliases = [ services.caddy.virtualHosts."mail.${domain}".extraConfig = ''
"mta-sts.${domain}" reverse_proxy 127.0.0.1:8080
"autoconfig.${domain}" '';
"autodiscover.${domain}"
"mail.${domain}"
];
};
networking.firewall.allowedTCPPorts = [25 465 587 993];
services.stalwart-mail = { services.stalwart-mail = {
enable = true; enable = true;
settings = { settings = {
lookup.default.hostname = "mail.${domain}";
server = { server = {
hostname = "mx1.${domain}"; tls.certificate = "default";
tls = { http = {
enable = true; url = "protocol + '://' + key_get('default', 'hostname') + ':' + local_port";
implicit = true; use-x-forwarded = true;
}; };
listener = { listener = {
smtp = { smtp = {
bind = ["[::]:25"];
protocol = "smtp"; protocol = "smtp";
bind = "[::]:25";
}; };
submissions = { submissions = {
bind = "[::]:465"; bind = ["[::]:465"];
protocol = "smtp"; protocol = "smtp";
tls.implicit = true;
}; };
imaps = { imaptls = {
bind = "[::]:993"; bind = ["[::]:993"];
protocol = "imap"; protocol = "imap";
}; tls.implicit = true;
jmap = {
bind = "[::]:8080";
url = "https://mail.${domain}";
protocol = "jmap";
}; };
management = { management = {
bind = ["127.0.0.1:8080"]; bind = "[::]:8080";
protocol = "http"; protocol = "http";
}; };
}; };
}; };
lookup.default = { certificate.default = {
hostname = "mx1.${domain}"; default = true;
domain = "${domain}"; cert = "%{file:/var/lib/stalwart-mail/cert/${domain}.pem}%";
private-key = "%{file:/var/lib/stalwart-mail/cert/${domain}.priv.pem}%";
}; };
acme."letsencrypt" = {
directory = "https://acme-v02.api.letsencrypt.org/directory";
challenge = "dns-01";
contact = "postmaster@${domain}";
domains = ["${domain}" "mx1.${domain}"];
provider = "cloudflare";
secret = "%{file:${config.sops.secrets."stalwart-mail/ACME_SECRET".path}}%";
};
session.auth = {
mechanisms = "[plain]";
directory = "'in-memory'";
};
session.rcpt.directory = "'in-memory'";
queue.outbound.next-hop = "'local'";
directory."imap".lookup.domains = ["${domain}"];
storage = { storage = {
data = "rocksdb"; data = "rocksdb";
fts = "rocksdb"; fts = "rocksdb";
@ -107,4 +85,37 @@ in {
StateDirectoryMode = "0740"; StateDirectoryMode = "0740";
}; };
}; };
networking.firewall.allowedTCPPorts = [25 465 993];
systemd.timers."stalwart-mail-update-certs" = {
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
Unit = "stalwart-mail-update-certs.service";
};
};
systemd.services."stalwart-mail-update-certs" = {
script = ''
set -eu
CADDY_CERT_DIR="/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}"
STALWART_CERT_DIR="/var/lib/stalwart-mail/cert"
mkdir -p "''\${CADDY_CERT_DIR}"
mkdir -p "''\${STALWART_CERT_DIR}"
cat "''\${CADDY_CERT_DIR}/${domain}.crt" > "''\${STALWART_CERT_DIR}/${domain}.pem"
cat "''\${CADDY_CERT_DIR}/${domain}.key" > "''\${STALWART_CERT_DIR}/${domain}.priv.pem"
chown -R stalwart-mail:stalwart-mail "''\${STALWART_CERT_DIR}"
chmod -R 0700 "''\${STALWART_CERT_DIR}"
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
} }