repo init

10 files changed, 290 insertions, 0 deletions

diff --git a/hosts/experimental-nixos/default.nix b/hosts/experimental-nixos/default.nix
new file mode 100644
index 0000000..8033946
--- /dev/null
+++ b/hosts/experimental-nixos/default.nix
@@ -0,0 +1,3 @@
+{
+  system.stateVersion = "25.05";
+}
diff --git a/hosts/experimental-nixos/experimental-nixos.nix b/hosts/experimental-nixos/experimental-nixos.nix
new file mode 100644
index 0000000..0967ef4
--- /dev/null
+++ b/hosts/experimental-nixos/experimental-nixos.nix
@@ -0,0 +1 @@
+{}
diff --git a/hosts/experimental-nixos/networking.nix b/hosts/experimental-nixos/networking.nix
new file mode 100644
index 0000000..1d7e4e0
--- /dev/null
+++ b/hosts/experimental-nixos/networking.nix
@@ -0,0 +1,7 @@
+{pkgs, ...}: {
+  networking.firewall = {
+    enable = true;
+    package = pkgs.iptables;
+    allowedTCPPorts = [80 443 25 465 587 110 995 143 993];
+  };
+}
diff --git a/hosts/experimental-nixos/services/acme.nix b/hosts/experimental-nixos/services/acme.nix
new file mode 100644
index 0000000..3ea342b
--- /dev/null
+++ b/hosts/experimental-nixos/services/acme.nix
@@ -0,0 +1,14 @@
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "sirimaharjan@proton.me";
+    };
+    certs."m4siri.com" = {
+      webroot = "/var/lib/acme/acme-challenge/";
+    };
+    certs."mail.m4siri.com" = {
+      webroot = "/var/lib/acme/acme-challenge/";
+    };
+  };
+}
diff --git a/hosts/experimental-nixos/services/ldap.nix b/hosts/experimental-nixos/services/ldap.nix
new file mode 100644
index 0000000..47e67d5
--- /dev/null
+++ b/hosts/experimental-nixos/services/ldap.nix
@@ -0,0 +1,57 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  secrets.ldap-root = {
+    file = ./secrets/ldap-root.age;
+    mode = "444";
+  };
+
+  secrets.ldap-search = {
+    file = ./secrets/ldap-search-pw.age;
+    mode = "444";
+  };
+  services.openldap = {
+    enable = true;
+    urlList = ["ldap:///"];
+    # mutableConfig = true;
+    settings = {
+      attrs = {
+        olcLogLevel = "conns config";
+      };
+
+      children = {
+        "cn=schema".includes = [
+          "${pkgs.openldap}/etc/schema/core.ldif"
+          "${pkgs.openldap}/etc/schema/cosine.ldif"
+          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+          "${pkgs.openldap}/etc/schema/misc.ldif"
+          "${pkgs.openldap}/etc/schema/nis.ldif"
+        ];
+
+        "olcDatabase={1}mdb".attrs = {
+          objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+          olcDatabase = "{1}mdb";
+          olcDbDirectory = "/var/lib/openldap/data";
+          olcSuffix = "dc=m4siri,dc=com";
+          olcRootDN = "cn=admin,dc=m4siri,dc=com";
+          olcRootPW.path = config.secrets.ldap-root.path;
+          olcAccess = [
+            ''              {0}to attrs=userPassword
+                                by dn="cn=searchuser,ou=users,dc=m4siri,dc=com" read
+                                by self write
+                                by anonymous auth
+                                by * none''
+            ''              {1}to *
+                            by * read''
+          ];
+        };
+      };
+    };
+
+    declarativeContents = {
+      "dc=m4siri,dc=com" = builtins.readFile ./secrets/ldap-content;
+    };
+  };
+}
diff --git a/hosts/experimental-nixos/services/nginx.nix b/hosts/experimental-nixos/services/nginx.nix
new file mode 100644
index 0000000..07a1a7c
--- /dev/null
+++ b/hosts/experimental-nixos/services/nginx.nix
@@ -0,0 +1,34 @@
+{
+  services.nginx.enable = true;
+  services.nginx.enableReload = true;
+
+  users.users.nginx.extraGroups = ["acme"];
+  services.nginx.virtualHosts."m4siri.com" = {
+    http2 = true;
+    addSSL = true;
+    useACMEHost = "m4siri.com";
+  };
+  services.nginx.virtualHosts."mail.m4siri.com" = {
+    http2 = true;
+    addSSL = true;
+    useACMEHost = "mail.m4siri.com";
+
+    locations."/" = {
+      proxyPass = "http://localhost:8080";
+      proxyWebsockets = true;
+    };
+
+    locations."/.well-known/jmap" = {
+      proxyPass = "https://localhost:1443";
+    };
+
+    locations."/jmap/session" = {
+      proxyPass = "https://localhost:1443";
+    };
+
+    locations."/jmap" = {
+      proxyPass = "http://localhost:8080";
+      proxyWebsockets = true;
+    };
+  };
+}
diff --git a/hosts/experimental-nixos/services/secrets/ldap-content.age b/hosts/experimental-nixos/services/secrets/ldap-content.age
new file mode 100644
index 0000000..ec16d56
--- /dev/null
+++ b/hosts/experimental-nixos/services/secrets/ldap-content.age
diff --git a/hosts/experimental-nixos/services/secrets/ldap-root.age b/hosts/experimental-nixos/services/secrets/ldap-root.age
new file mode 100644
index 0000000..46ac649
--- /dev/null
+++ b/hosts/experimental-nixos/services/secrets/ldap-root.age
@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEF5bFBtZyA5b3FF
+UHU3L3BUTVJkdlFTanhMZXZLQjRVTGZyWDd1bmt2VWJEM213VVdjCnNmSnF0aWYz
+b3kxYWRkMWhLQVlFcjQ3eCt6Q200VjRWM0xOQzVUZy80Y2cKLT4gc3NoLWVkMjU1
+MTkgbC94dFF3IE01Z1ZOdVJidFJiQ1VSQTJHRXhqcmcxdW1QeVdpVlovTXBWaHhR
+UWZDZzgKTzc3QXlBVW1DSzZpOXh0VjRtUTFxR2F0a2tTY1dHdWZsVm92Mis4UVIy
+VQotPiBqVGU4LWdyZWFzZSB1IFQgQkpxTSx3KlcKT1A4NWtJcno5LysrdVFBeG4w
+a1I3a2xaL2ZNYThBCi0tLSBQajdtNjhmeVRTSkp3eFJlSFU3a2dIaVcxdlpabW9S
+enpTOHpQRUk3WUNzCrqapwhl61rX/y3n6cFD8xB861lkJlxtATDOIwCEu3nUjgQz
+M2a7TW8csioI4DjyuyMuNhMrBw==
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/experimental-nixos/services/secrets/ldap-search-pw.age b/hosts/experimental-nixos/services/secrets/ldap-search-pw.age
new file mode 100644
index 0000000..a0cbba9
--- /dev/null
+++ b/hosts/experimental-nixos/services/secrets/ldap-search-pw.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEF5bFBtZyBScERE
+MEZFdm9LbWh5b0xqdTd1TGJxTTU0L01pSk5zWHhlcWFKZzgvNGdzClY0ZHVNdWhm
+MWk4aHpYcnhoMlJLemZXL2g0VG8vVHc4YThUR21kSjEyOEEKLT4gc3NoLWVkMjU1
+MTkgbC94dFF3IHFHand2TGJUYUNDeExLemtvRUYxY0N0MW51WXk4ZzFqLzlWTnBI
+WmlueUEKeUZsSFNUWUVqcmtSbU9CZzVkTmM0SkUxUzJLZ2xNeUxyenZrWmZESFJL
+QQotPiAiLWdyZWFzZSBEWSBlWUlsditRCjk3aHdYYUdmS2ZRWTF5bmRQNkNjN2px
+ODJyaTh2Nk5NbXRsZXY4WTlmaEdEb0xVYlQvUVRIcFNBTS9vZmcwWVkKUkFTbTFo
+QjRRNmlOR1hjd1Z6RnJQcVlWdlZFanNMazRVREVuazVxazliR3NJdi9Ca3FSL3JH
+VG8KLS0tIFUvV1F4YVg2UGJtS1U0a3JidEh2elRDZEViUmI5RSt4MWZEdU1VOFN3
+VHMKbS4mptDGnMfvSjnBm+eKrYhg/VFqR2jovtL3KgViBNhWAh3Sg5Mdua0GEfhM
+oNuLTadgM+lAIIdsjAej6Kba0uhjr7P+M+8=
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/experimental-nixos/services/stalwart.nix b/hosts/experimental-nixos/services/stalwart.nix
new file mode 100644
index 0000000..665fb6e
--- /dev/null
+++ b/hosts/experimental-nixos/services/stalwart.nix
@@ -0,0 +1,150 @@
+{
+  pkgs,
+  nixpkgs-unstable,
+  unstable,
+  config,
+  ...
+}: {
+  disabledModules = ["services/mail/stalwart-mail.nix"];
+  imports = [
+    "${nixpkgs-unstable}/nixos/modules/services/mail/stalwart-mail.nix"
+  ];
+
+  environment.etc."stalwart-mail/search-pw".source = config.secrets.ldap-search.path;
+
+  systemd.services.stalwart-mail.serviceConfig = {
+    EnvironmentFile = config.age.secrets.ldap-search.path;
+  };
+
+  users.users.stalwart-mail.extraGroups = ["acme"];
+
+  services.stalwart-mail = {
+    enable = true;
+    package = unstable.stalwart-mail;
+    openFirewall = true;
+    credentials = {
+      user_admin_password = config.secrets.ldap-root.path;
+      user_search_password = config.secrets.ldap-search.path;
+    };
+
+    settings = {
+      certificate.default = {
+        cert = "%{file:/var/lib/acme/mail.m4siri.com/fullchain.pem}%";
+        private-key = "%{file:/var/lib/acme/mail.m4siri.com/key.pem}%";
+        default = true;
+      };
+      http.url = "protocol + '://' + config_get('server.hostname')";
+      tracer.stdout = {
+        level = "trace";
+      };
+      auth.search = "%{file:/etc/stalwart-mail/search-pw}%";
+      server = {
+        hostname = "mail.m4siri.com";
+        tls = {
+          implicit = false;
+        };
+        auto-ban = {
+          auth.rate = "10/1d";
+        };
+        listener = {
+          smtp = {
+            protocol = "smtp";
+            bind = "[::]:25";
+          };
+          submissions = {
+            bind = "[::]:465";
+            protocol = "smtp";
+            tls.implicit = true;
+          };
+          submission = {
+            bind = "[::]:587";
+            protocol = "smtp";
+            tls.implicit = true;
+          };
+          pop3 = {
+            bind = "[::]:110";
+            protocol = "pop3";
+          };
+          pop3s = {
+            bind = "[::]:995";
+            protocol = "pop3";
+            tls.implicit = true;
+          };
+          imap = {
+            bind = "[::]:143";
+            protocol = "imap";
+          };
+          imaps = {
+            bind = "[::]:993";
+            protocol = "imap";
+            tls.implicit = true;
+          };
+          http = {
+            bind = ["127.0.0.1:8080"];
+            protocol = "http";
+          };
+          https = {
+            bind = ["127.0.0.1:1443"];
+            protocol = "http";
+            tls.implicit = true;
+          };
+          jmap = {
+            bind = ["127.0.0.1:1443"];
+            protocol = "http";
+            tls.implicit = true;
+          };
+          sieve = {
+            bind = "[::]:4190";
+            protocol = "managesieve";
+          };
+        };
+      };
+
+      storage.blob = "rocksdb";
+      storage.data = "rocksdb";
+      storage.directory = "ldap";
+      storage.fts = "rocksdb";
+      store = {
+        "rocksdb" = {
+          compression = "lz4";
+          path = "/var/lib/stalwart-mail/data";
+          type = "rocksdb";
+        };
+      };
+
+      authentication.fallback-admin = {
+        user = "fallback-admin";
+        secret = "%{file:/run/credentials/stalwart-mail.service/user_admin_password}%";
+      };
+
+      directory.ldap = {
+        type = "ldap";
+        url = "ldap://localhost:389";
+        timeout = "30s";
+        base-dn = "dc=m4siri,dc=com";
+        tls.enable = false;
+
+        bind = {
+          dn = "cn=searchuser,ou=users,dc=m4siri,dc=com";
+          secret = "%{env:STALWART_SEARCH_PW}%";
+          auth = {
+            method = "template";
+            template = "uid={local},ou=users,dc=m4siri,dc=com";
+            search = true;
+          };
+        };
+        filter = {
+          name = "(&(objectClass=inetOrgPerson)(|(mail=?)(uid=?)))";
+          email = "(&(objectClass=inetLocalMailRecipient)(|(mail=?)(mailLocalAddress=?)))";
+        };
+
+        attributes = {
+          name = "uid";
+          secret = "userPassword";
+          email = "mail";
+          email-alias = "mailLocalAddress";
+        };
+      };
+    };
+  };
+}