root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add mail server configuration with Stalwart Mail, secrets management, and Traefik integration
All checks were successful
Build Nix modules (dry-run) / build-modules (push) Successful in 4m0s
Details

Browse source
This commit is contained in:
Root User 2026-02-15 15:47:54 +01:00
parent a91e60eb70
commit fe289e0600
Signed by: root
GPG key ID: 087F0A95E5766D72
8 changed files with 288 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

135
nix-system-configs/modules/system/mail-server.nix Normal file
View file

@ -0,0 +1,135 @@
{
config,
pkgs,
lib,
...
}: let
choose = paths: lib.findFirst builtins.pathExists null paths;
in {
options.local = {
hostname = lib.mkOption {
type = lib.types.str;
default = "nixos-default";
description = "System hostname";
};
username = lib.mkOption {
type = lib.types.str;
default = "user";
description = "Primary user username";
};
userDescription = lib.mkOption {
type = lib.types.str;
default = "NixOS User";
description = "Primary user description";
};
address = lib.mkOption {
type = lib.types.str;
default = "10.1.1.100";
description = "Static IP address";
};
};
imports = lib.filter (x: x != null) [
(choose [./modules/desktop-manager/sway_greetd_homemanager.nix ../desktop-manager/sway_greetd_homemanager.nix])
(choose [./modules/local/hostname_username.nix ../local/hostname_username.nix])
(choose [./modules/local/networking_local.nix ../local/networking_local.nix])
(choose [./modules/bootloader/seabios-assigned-proxmox-at-birth.nix ../bootloader/seabios-assigned-proxmox-at-birth.nix])
(choose [./modules/lix-default.nix ../lix-default.nix])
(choose [./modules/secrets-config/sops-the-blank-system.nix ../secrets-config/sops-the-blank-system.nix])
(choose [./modules/toolsets/grafana_metric.nix ../toolsets/grafana_metric.nix])
(choose [./modules/secrets-config/sops-mail.nix ../secrets-config/sops-mail.nix])
];
config = {
local.hostname = "nixos-mailserver";
local.username = "mailprg";
local.userDescription = "NixOS PRG Mailing Service";
local.address = "10.1.1.15";
system.stateVersion = "25.11";
services.stalwart-mail = {
enable = true;
openFirewall = true;
settings = {
server = {
hostname = "mail.prg-radio.org";
tls = {
enable = true;
implicit = true;
};
listener = {
smtp = {
protocol = "smtp";
bind = "[::]:25";
proxy.trusted-networks = [
"10.1.1.250/32"
];
};
submissions = {
bind = "[::]:465";
protocol = "smtp";
tls.implicit = true;
# Also trust proxy for SMTPS
proxy.trusted-networks = ["10.1.1.250/32"];
};
imaps = {
bind = "[::]:993";
protocol = "imap";
tls.implicit = true;
proxy.trusted-networks = ["10.1.1.250/32"];
};
jmap = {
bind = "[::]:8080";
url = "https://mail.prg-radio.org";
protocol = "http";
};
management = {
bind = ["127.0.0.1:8080"];
protocol = "http";
};
};
};
lookup.default = {
hostname = "mail.prg-radio.org";
domain = "prg-radio.org";
};
acme."letsencrypt" = {
directory = "https://acme-v02.api.letsencrypt.org/directory";
challenge = "dns-01";
contact = config.sops.secrets."cloudflare-username".path;
domains = ["prg-radio.org" "mail.prg-radio.org"];
provider = "cloudflare";
secret = config.sops.secrets."cloudflare-dns-token".path;
};
session.auth = {
mechanisms = "[plain]";
directory = "'in-memory'";
};
storage.directory = "in-memory";
session.rcpt.directory = "'in-memory'";
directory."imap".lookup.domains = ["prg-radio.org"];
directory."in-memory" = {
type = "memory";
principals = [
{
class = "individual";
name = "Polyteknisk Radiogruppe Board Member";
secret = config.sops.secrets."board-member-password".path;
email = ["board@prg-radio.org"];
}
{
class = "individual";
name = "postmaster";
secret = config.sops.secrets."board-member-password".path;
email = ["postmaster@prg-radio.org"];
}
];
};
authentication.fallback-admin = {
user = "admin";
secret = config.sops.secrets."admin-password".path;
};
};
};
};
}