wip: feat(mail): init host and module

feat(dns): migrate forkos.org zone to dnsimple
fix(dns): apex cnames are not allowed
2024-09-24 22:01:03 +02:00 · 2024-09-24 21:10:39 +02:00 · 2024-09-24 20:50:41 +02:00 · 2024-09-24 18:37:55 +00:00
6 changed files with 216 additions and 1 deletions
--- a/flake.lock
+++ b/flake.lock
@ -78,6 +78,22 @@
        "type": "github"
      }
    },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
    "buildbot-nix": {
      "inputs": {
        "flake-parts": "flake-parts",
@ -298,6 +314,22 @@
        "type": "github"
      }
    },
+    "flake-compat_5": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
@ -715,6 +747,7 @@
        ],
        "nix-gerrit": "nix-gerrit",
        "nixpkgs": "nixpkgs_2",
+        "simple-nixos-mailserver": "simple-nixos-mailserver",
        "terranix": "terranix"
      }
    },
@ -747,6 +780,29 @@
        "url": "https://static.rust-lang.org/dist/channel-rust-1.78.0.toml"
      }
    },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat_5",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-24_05": []
+      },
+      "locked": {
+        "lastModified": 1722877200,
+        "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
    "stable": {
      "locked": {
        "lastModified": 1696039360,
--- a/flake.nix
+++ b/flake.nix
@ -37,6 +37,11 @@
      repo = "grapevine-fork";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
+    simple-nixos-mailserver.inputs.nixpkgs.follows = "nixpkgs";
+    simple-nixos-mailserver.inputs.nixpkgs-24_05.follows = "";
+
  };

  outputs = { self, nixpkgs, terranix, colmena, ... } @ inputs:
@ -131,6 +136,7 @@
      buildbot.imports = commonModules ++ [ ./hosts/buildbot ];
      public01.imports = commonModules ++ [ ./hosts/public01 ];
      build-coord.imports = commonModules ++ [ ./hosts/build-coord ];
+      mail.imports = commonModules ++ [ ./hosts/mail ];
    } // builders;

    hydraJobs = builtins.mapAttrs (n: v: v.config.system.build.netbootDir or v.config.system.build.toplevel) self.nixosConfigurations;
--- a/hosts/mail/default.nix
+++ b/hosts/mail/default.nix
@ -0,0 +1,53 @@
+{ lib, modulesPath, ... }: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  # TODO: change after adding dns
+  # deployment.targetHost = "mail.infra.forkos.org";
+  deployment.targetHost = "2a01:4f8:1c17:6866::1";
+
+  bagel.services.mail.enable = true;
+  bagel.sysadmin.enable = true;
+
+  networking = {
+    hostName = "mail";
+    domain = "infra.forkos.org";
+    dhcpcd.enable = false;
+    useNetworkd = true;
+    nameservers = [
+      # hetzner
+      "2a01:4ff:ff00::add:2"
+      "2a01:4ff:ff00::add:1"
+    ];
+  };
+
+  systemd.network = {
+    networks = {
+      "10-wan" = {
+        matchConfig.Name = "enp1s0";
+        address = [
+          "49.13.86.172/32"
+          "2a01:4f8:1c17:6866::1/64"
+          "fe80::9400:3ff:feba:39b9/64"
+        ];
+        routes = [
+          { Gateway = "fe80::1"; }
+          { Destination = "172.31.1.1"; }
+          {
+            Gateway = "172.31.1.1";
+            GatewayOnLink = true;
+          }
+        ];
+        linkConfig.RequiredForOnline = "routable";
+      };
+    };
+  };
+
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+  system.stateVersion = "23.11";
+}
--- a/services/default.nix
+++ b/services/default.nix
@ -13,5 +13,6 @@
    ./buildbot
    ./newsletter
    ./s3-revproxy
+    ./mail
  ];
 }
--- a/services/mail/default.nix
+++ b/services/mail/default.nix
@ -0,0 +1,35 @@
+{ config, lib, inputs, ... }: let
+  cfg = config.bagel.services.mail;
+  inherit (lib) mkEnableOption mkIf;
+in {
+  imports = [
+    inputs.simple-nixos-mailserver.nixosModule
+  ];
+  options.bagel.services.mail = {
+    enable = mkEnableOption "E-Mail";
+  };
+  config = mkIf cfg.enable {
+    mailserver = {
+      enable = true;
+      fqdn = "mail.forkos.org";
+      domains = [
+        "vzfdfp.de"
+      ];
+      forwards = let
+        infraMembers = [
+          "forkos.janik@aq0.de"
+        ];
+        boardMembers = [
+          "vzfdfp.janik@aq0.de"
+        ];
+      in {
+        "abuse@vzfdfp.de" = infraMembers;
+        "postmaster@vzfdfp.de" = infraMembers;
+
+        "board@vzfdfp.de" = boardMembers;
+        "vorstand@vzfdfp.de" = boardMembers;
+      };
+      certificateScheme = "acme-nginx";
+    };
+  };
+}
--- a/terraform/dnsimple.nix
+++ b/terraform/dnsimple.nix
@ -81,10 +81,74 @@ in
      ) (lib.flatten records));
      zones = domains: lib.zipAttrs (lib.mapAttrsToList (zoneName: records: domain zoneName records) domains);
    in zones {
+        "forkos.org" = ([
+          # (record "@" 300 "A" "163.172.69.160")
+          (record "@" 300 "AAAA" "2001:bc8:38ee:100:1000::20")
+
+          (dualProxyRecords "bagel-box.infra" 300 "AAAA" "2001:bc8:38ee:100:100::1")
+          (dualProxyRecords "gerrit01.infra" 300 "AAAA" "2001:bc8:38ee:100:1000::10")
+          (dualProxyRecords "meta01.infra" 300 "AAAA" "2001:bc8:38ee:100:1000::20")
+          (dualProxyRecords "fodwatch.infra" 300 "AAAA" "2001:bc8:38ee:100:1000::30")
+          # git.infra.forkos.org exposes opensshd
+          (dualProxyRecords "git.infra" 300 "AAAA" "2001:bc8:38ee:100:1000::41")
+          # git.p.forkos.org exposes forgejo ssh server.
+          (proxyRecords "git.p" 300 "AAAA" "2001:bc8:38ee:100:1000::40")
+          (dualProxyRecords "buildbot.infra" 300 "AAAA" "2001:bc8:38ee:100:1000::50")
+          (dualProxyRecords "public01.infra" 300 "AAAA" "2001:bc8:38ee:100:1000::60")
+
+          (record "cl" 300 "CNAME" "gerrit01.infra.p")
+          (record "fodwatch" 300 "CNAME" "fodwatch.infra.p")
+          # git.p.forkos.org is the proxy variant of the Forgejo server.
+          (record "git" 300 "CNAME" "git.p")
+          (record "netbox" 300 "CNAME" "meta01.infra.p")
+          (record "amqp" 300 "CNAME" "bagel-box.infra.p")
+          (record "grafana" 300 "CNAME" "meta01.infra.p")
+          (record "hydra" 300 "CNAME" "build-coord.wob01.infra.p")
+          (record "loki" 300 "CNAME" "meta01.infra.p")
+          (record "mimir" 300 "CNAME" "meta01.infra.p")
+          (record "pyroscope" 300 "CNAME" "meta01.infra.p")
+          (record "tempo" 300 "CNAME" "meta01.infra.p")
+          (record "matrix" 300 "CNAME" "meta01.infra.p")
+          (record "alerts" 300 "CNAME" "meta01.infra.p")
+          (record "buildbot" 300 "CNAME" "buildbot.infra.p")
+          (record "b" 300 "CNAME" "public01.infra.p")
+          (record "postgres" 300 "CNAME" "bagel-box.infra.p")
+          (record "news" 3600 "CNAME" "public01.infra.p")
+
+          # S3 in delroth's basement
+          (record "cache" 300 "AAAA" "2a02:168:6426::12") # smol.delroth.net
+          (record "cache" 300 "A" "195.39.247.161") # sni proxy
+
+          # misc
+          (record "vpn-gw.wob01.infra" 300 "AAAA" "2a01:584:11::2")
+
+          (dualProxyRecords "build-coord.wob01.infra" 300 "AAAA" "2a01:584:11::1:11")
+
+          (record "mail.infra.forkos.org" 300 "A" [ "49.13.86.172" ])
+          (record "mail.infra.forkos.org" 300 "AAAA" [ "2a01:4f8:1c17:6866::1" ])
+
+          # TODO: do not hardcode, just reuse the Colmena hive module outputs to generate all the required details.
+        ]
+        ++ (map (index: record "builder-${toString index}.wob01.infra" 300 "AAAA" "2a01:584:11::1:${toString index}") (genList lib.id 11))
+        ++ (
+          let
+            # FIXME: figure out a way to poke `config.services.s3-revproxy` and
+            # automate the DNS part away?
+            buckets = [
+              "channels"
+              "releases"
+              "channel-scripts-test"
+            ];
+          in
+          map (bucket: record "${bucket}" 300 "CNAME" "public01.infra.p") buckets
+        ));
        "flowery.systems" = [
-          (record "" 300 "CNAME" "news.forkos.org")
+          (record "" 300 "ALIAS" "news.forkos.org")
        ];
        "vzfdfp.de" = [
+          (record "" 300 "MX" "10 mail.infra.forkos.org")
+          (record "_dmarc" 300 "TXT" "v=DMARC1; p=none") # TODO: Setup dmarc and dmarc exporer/monitoring
+          (record "mail._domainkey" 3600 "TXT" "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8Xy2Rytpa3X/9Or3gKqH0LTn/TD3BoLf77HtUu+GsAsZit+yIVz+zTt3NoNoYsygl2Qc27zAeJhcK3w7dbKVbuWlVBqBzrLP/QK1NqR499RUAwQfyQHZkI+BCTYEY5UkWrFAwZ7LeHgtqDNtbyeCdS7MTST0DhogtIqSJKpP0/QIDAQAB")
        ];
    };
  };
Author	SHA1	Message	Date
Janik Haag	a74611e078	wip: feat(mail): init host and module	2024-09-24 22:01:03 +02:00
Maxine Aubrey	29c1b366c6	feat(dns): migrate forkos.org zone to dnsimple	2024-09-24 21:10:39 +02:00
Maxine Aubrey	16027be2ca	fix(dns): apex cnames are not allowed change flowery.systems from CNAME to ALIAS pointing to news.forkos.org	2024-09-24 20:50:41 +02:00
Janik Haag	d780f18534	Merge pull request 'feat(dns): migrate functions from gandi to dnsimple' (#113 ) from janik/dnsimple into main Reviewed-on: #113 Reviewed-by: Maxine Aubrey <max@ine.dev>	2024-09-24 18:37:55 +00:00