diff --git a/config/mail-postfix.nix b/config/mail-postfix.nix new file mode 100644 index 0000000..ce610b4 --- /dev/null +++ b/config/mail-postfix.nix @@ -0,0 +1,21 @@ +{ + config, + ... +}: +{ + services.postfix = { + enable = true; + enableSubmissions = true; + settings.main = { + relayhost = [ "smtp.protonmail.ch:587" ]; + smtp_use_tls = "yes"; + smtp_tls_security_level = "may"; + myhostname = "mail.plg.m0rel.eu"; + mydomain = "m0rel.eu"; + smtp_sasl_auth_enable = "yes"; + smtp_sasl_security_options = ""; + smtp_sasl_password_maps = "texthash:${config.age.secrets.mail-smtp-relay.path}"; + virtual_alias_maps = "inline:{ { root=home@m0rel.eu } }"; + }; + }; +} diff --git a/config/vault-vaultwarden.nix b/config/vault-vaultwarden.nix index 38ed641..ce9b892 100644 --- a/config/vault-vaultwarden.nix +++ b/config/vault-vaultwarden.nix @@ -34,8 +34,13 @@ in SSO_SCOPES = "openid profile email offline_access"; SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = false; SSO_CLIENT_CACHE_EXPIRATION = 0; - SSO_ONLY = true; # Set to true to disable email and master password login and require SSO + SSO_ONLY = false; # Set to true to disable email and master password login and require SSO SSO_SIGNUPS_MATCH_EMAIL = true; # Match first SSO login to an existing account by email + + SMTP_HOST = "192.168.68.33"; + SMTP_PORT = "25"; + SMTP_SECURITY = "off"; + SMTP_FROM = "home@m0rel.eu"; }; dbBackend = "postgresql"; }; diff --git a/containers/mail.nix b/containers/mail.nix index ebc4d84..7cbc4a9 100644 --- a/containers/mail.nix +++ b/containers/mail.nix @@ -11,18 +11,14 @@ in swap = 512; }; system = { + importConfig = [ + ../config/mail-postfix.nix + ]; port = 80; additionalPorts = [ 25 # smtp 465 # smtps ]; - services.postfix = { - enable = true; - enableSubmission = true; - enableSubmissions = true; - mailname = "mail.m0rel.eu"; - domain = "plg.m0rel.eu"; - }; }; logging = { enable = true; diff --git a/modules/containers-terraform-proxmox.nix b/modules/containers-terraform-proxmox.nix index 3608fbd..aad488b 100644 --- a/modules/containers-terraform-proxmox.nix +++ b/modules/containers-terraform-proxmox.nix @@ -1,14 +1,12 @@ { config, - tools, - lib, ... }: let cfg = config.my-lxc; in { - proxmox_lxc = lib.mapAttrs ( + proxmox_lxc = builtins.mapAttrs ( name: def: let c = def.container; @@ -25,7 +23,7 @@ in network = { name = "eth0"; bridge = "vmbr0"; - ip = tools.build_ip_cidr name; + ip = "192.168.1.${name}"; gw = config.globals.gateway; type = "veth"; }; @@ -37,7 +35,7 @@ in }; swap = c.swap; vmid = config.id.${name}; - tags = lib.strings.join ";" ([ "terraform" ] ++ c.tags); + tags = builtins.strings.join ";" ([ "terraform" ] ++ c.tags); } // c.overrides ) cfg; diff --git a/modules/containers.nix b/modules/containers.nix index 11ebf21..1f3ff84 100644 --- a/modules/containers.nix +++ b/modules/containers.nix @@ -334,15 +334,6 @@ in (import ./containers-terraform-proxmox.nix { inherit config tools lib; }) (import ./containers-terraform-authentik.nix { inherit config tools lib; }) ]; - tf.data.authentik_outpost.embedded = { - name = "authentik Embedded Outpost"; - }; - tf.data.authentik_flow.default-authorization-flow = { - slug = "default-provider-authorization-implicit-consent"; - }; - tf.data.authentik_flow.default-invalidation-flow = { - slug = "default-provider-invalidation-flow"; - }; nixosModule = lib.mapAttrs ( container: def: diff --git a/secrets/auth-authentik-ldap-secrets.age b/secrets/auth-authentik-ldap-secrets.age index 9bbed38..14409cf 100644 Binary files a/secrets/auth-authentik-ldap-secrets.age and b/secrets/auth-authentik-ldap-secrets.age differ diff --git a/secrets/auth-authentik-proxy-secrets.age b/secrets/auth-authentik-proxy-secrets.age index 7d9b9f6..597d268 100644 Binary files a/secrets/auth-authentik-proxy-secrets.age and b/secrets/auth-authentik-proxy-secrets.age differ diff --git a/secrets/auth-authentik-secrets.age b/secrets/auth-authentik-secrets.age index b8cf917..f25d276 100644 Binary files a/secrets/auth-authentik-secrets.age and b/secrets/auth-authentik-secrets.age differ diff --git a/secrets/db-postgres-initscript.age b/secrets/db-postgres-initscript.age index f0e7685..c8aab86 100644 --- a/secrets/db-postgres-initscript.age +++ b/secrets/db-postgres-initscript.age @@ -1,10 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 jxhkLg xNDlDdho+Amh4Wf77L/0OfMWevmRQUB49fjNAgj4sXo -iRHPgcqPqsBJVtv4Map3WRpG173YQlwZ9hJI1hgbIB4 --> ssh-ed25519 tqMvRA MGYTH08khPjQrLGFbq2Evd1fFkFbI3ap/jM9jiDnoBo -sgWaeJ3IWV4E6LYgmFVHTIOrGZ2ZHUmFRJY+CvAFjbk --> ssh-ed25519 720szw sC+xKVyWtGH8Hq9hwcg4X6gylYDYphP1/NanE07hhBc -30HqQ7wdYr0n1vVNwx8pkUrm+6vxtPTz/70QkJxXrlg ---- qpQfmx0AAz4q5Z7UT+vhiwRztZ0dDAotEUDJy7xR75c -SFN3CQBv窂l L|8kLۅ lmC -Qڙ% zRT-.Qv0-{$πzzJz",Ph^: X9/ \ No newline at end of file +-> ssh-ed25519 jxhkLg YNVl9EvnlsfS8rqCORhExodr4U7doD2sc2V2Igh6wyM +2+9ccgcBxgtZiRARbYb3CGt3t/iUbJ1Z4GppNuxKpWU +-> ssh-ed25519 tqMvRA P5GUVZrILJSE/ZvF/cmSAeocAP3XWsohA8kQtW3zU2s +EFmkyCY0QZsqRhhUjYIdjV5Tqy1JrdaV0Px4rImB3j0 +-> ssh-ed25519 720szw AuUmyABlgdDYkotBpRF7MmNXjz/bgnSeIF7c6t7GnBE +MfJt7x8ChIAaGNCs46gM1GbXPKTfU08/e+A2v+G+4I0 +--- 78XdYtCgrNbwHYR3wk2cyVTz7nJNvbbvU2a/Vv5JIBA +X;%IrX9/$ hLp =3/$ 7lt~SNz9 udЙPT~@ 4*F2Pӯr \ No newline at end of file diff --git a/secrets/finances-app-key.age b/secrets/finances-app-key.age index c1c8c14..22e9b9d 100644 --- a/secrets/finances-app-key.age +++ b/secrets/finances-app-key.age @@ -1,9 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 jxhkLg mwMAP1IoULmBo8MiQbF7/OTFqHGEDvQAWtyu88KPkWA -b7rx/IbvpHppKH0nkomglxRkcjE6L0/SHlZ0rwSKVi4 --> ssh-ed25519 tqMvRA 08jdQsatahCoJu552xIsjf6aeKR2kfHqcpigtVEN6lA -R8VfTa9BUs7B6LZD3ZeW91VaMRGwNbP7+WkBi7mU2ec --> ssh-ed25519 UJuwpQ ZFeIg0jF3Wgp3Az9XRaqynaAA9gVETjqMHAAHpn5o2I -v+9C2KHhDPzDDGJjBgA03pbuALaBm0VP29qtpzeDe1c ---- ucg+XE0J0RL8ZN4pH4BAly3A5eMoSUSG/AqQSfXJ9Ro -lBERI@8P,]?almK2*:crF^׿:S&qy "* \ No newline at end of file +-> ssh-ed25519 jxhkLg jmZEdYs0k0ZW68F6fhW9fCtyT4WWNUeBfvoMqAdLBxY +PW8qcAecC7ouQWBz4lyEYS/Tssc7U9D9RyI99tO+D4o +-> ssh-ed25519 tqMvRA VKn6tGS4/gim8rLKoi9N/NrsGLgUph2Xjl0ek3LwyjE +m0fNiJqN47AM7NRgFY+Wda2QL1FJYt7zKMKx4ngutLQ +-> ssh-ed25519 UJuwpQ UydkFFa+9kSqWRmhLe7878GPVrC+wAPCIhxidM93VgA +YDeQwo+b/bDrCSNyar7Je12RkhFKkN5BRKgk037uPVA +--- 7OoH3mHI3xhpIR9wG7x99bpAgRz3f/cATOo7bC1mUFI +h#>~"ދ{,汳;Pua͑ЦtGȒi•ٚ">)хr Ci \ No newline at end of file diff --git a/secrets/gitea-action-token.age b/secrets/gitea-action-token.age index 8cd8102..5db7e59 100644 Binary files a/secrets/gitea-action-token.age and b/secrets/gitea-action-token.age differ diff --git a/secrets/mail-smtp-relay.age b/secrets/mail-smtp-relay.age new file mode 100644 index 0000000..2f4a938 --- /dev/null +++ b/secrets/mail-smtp-relay.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 jxhkLg +poePGAJ/ZVLHPXEK/Yr8tpmWZBRwB3bdx5FnLARY3A +9/OA2Mix1X+uvrFEEpZVOJZHoloVRSL35iGhxWqv2XM +-> ssh-ed25519 tqMvRA DQ+gJqcSfjmYxs+L/6DJ86yEkGtV4v+Y4xJExYNuVDI +lqv5OaNuHKtXjpgEQwlyuahp1O5a3nc83W8joaNn/mw +-> ssh-ed25519 SEy3Fw 09q3eW5ppW9JO0DWQo34VdaXHEllKlxnTdCy+K2SoAQ +bQfnSNiy5ZZCT7hpfNiLVVionG/UMVsYBxMWj/1359w +--- yiuElsPJeYH/0XB2YRd3gnwYFMPtPDXJQ71zVypdJew +ah)oZHp@/fM.[u!p =g +sF`FE2K%wKmi&`L.*@R" \ No newline at end of file diff --git a/secrets/matrix-maubot-cfg.age b/secrets/matrix-maubot-cfg.age index b44ee67..cd24c3a 100644 Binary files a/secrets/matrix-maubot-cfg.age and b/secrets/matrix-maubot-cfg.age differ diff --git a/secrets/metrics-pve.age b/secrets/metrics-pve.age index 2cf53bf..227a8e9 100644 Binary files a/secrets/metrics-pve.age and b/secrets/metrics-pve.age differ diff --git a/secrets/mqtt-exporter-environment.age b/secrets/mqtt-exporter-environment.age index e3b2d48..f7a990f 100644 Binary files a/secrets/mqtt-exporter-environment.age and b/secrets/mqtt-exporter-environment.age differ diff --git a/secrets/mqtt-password-frigate.age b/secrets/mqtt-password-frigate.age index 9ef33d2..696295b 100644 --- a/secrets/mqtt-password-frigate.age +++ b/secrets/mqtt-password-frigate.age @@ -1,9 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 jxhkLg ZLzOFFu6isbAWkrXF/etG1sjvE2O0hvDCz/BFsvONQg -gagibzhJwfpwgr3XGZJcaaD7IztcAH+HlxLwlhaYah0 --> ssh-ed25519 tqMvRA c7VvH+2ZhDozgIH24PiUaWzkEgYYHgjIq2QrQ9XAWy0 -SGsGZOVSCsodoc3unWEgaG2swbZ61G39rcQFJX6utQI --> ssh-ed25519 5VK9ng g1XMAKsB6l8vWxAAnIJIJWhzBVBeLFLg7JqzadibyBM -2Drr46dDuVJOyH0kp91K/qVdQsq1+Xd7hgoan0yc6K0 ---- ApI3P3YMJmzY8eFcZ+YzZeGvJRdqvgpMtW+I0KM0Y3c -Y}6s(qvcj叱?ھ \ No newline at end of file +-> ssh-ed25519 jxhkLg WOtezChzCSmy1x5ob8CFUKcjA8tTTJaLrUj0dhKUgiA +iYFJ0cdtpHdsK4FXRgTRAaZI7CYS8VAUKmvHC0TP0x8 +-> ssh-ed25519 tqMvRA 7AQf+l0+15W34unEqO3IyqD8qu2mIMXpVTActsUd8y0 +3xcW7LAmcUXxQKBO36WACH44IziCiHt0G1SmT4SFC/I +-> ssh-ed25519 5VK9ng Pvw6cet2AVlGx5F1F/5OM63r0fgGYEc7dCsipRPAkVQ +3HtvmxOzT4bGn9aECfusyNCpaTCNFSRgUSbeRik1wwA +--- 9dSUckyaEH5FpzcEdNTnC6M+5v7BwJapMIcSIFR29Tg +n@Y ½h'ۯӬ&w%  \ No newline at end of file diff --git a/secrets/mqtt-password-ha.age b/secrets/mqtt-password-ha.age index 694ca89..91f9170 100644 Binary files a/secrets/mqtt-password-ha.age and b/secrets/mqtt-password-ha.age differ diff --git a/secrets/mqtt-password-mqtt.age b/secrets/mqtt-password-mqtt.age index e0b2008..30a101a 100644 --- a/secrets/mqtt-password-mqtt.age +++ b/secrets/mqtt-password-mqtt.age @@ -1,11 +1,13 @@ age-encryption.org/v1 --> ssh-ed25519 jxhkLg B1+QK5IUkrya5HgZLF8oWpMiL7cBK+OYNCvNeodmqkw -mTglq5BlxDDKiYBe78Cs8tNMv0yksrvS4tyhCZKJu/M --> ssh-ed25519 tqMvRA la4nh/Nr0sNaV6JVhSi7cYLkI+kgbIhEr2fTTa/wKRA -W5qaU2lfPLVPomrkHvdwB52LxJPcUvvcgI6wN/gqeYk --> ssh-ed25519 5VK9ng vsmrq5wf3y4CiSgyNT0aQvrxLTJ0WcdG8B+zAbdpgGo -hDADh9v99hacIc85T+QP2oywVDyqJjlKVa0skJuf3BI ---- GT+Ns1ZRlOOO0HwG2WcpgG1XLf5NJzX2Hg3aJAL+vOA -0rO>xI48ϲs,K 5YI\Uc0<#d3u՝|tʏ}sP -v8=A ӡ?}+5P?1״mpZ&cˌN' \ No newline at end of file +-> ssh-ed25519 jxhkLg dADzUsvWJkprV9aYYdTQ4tLd3V6H/lMRNLaAC6fNty8 +NVzvSEd7KBDfkqbkrZgVgRJkFi6UmlqEIPr2sK+o6t8 +-> ssh-ed25519 tqMvRA XnsNo926VyUqSppFZ50N1KtzK/QCbi1lF6LJZYWUsGM +atsaJ7XjRum1dWvIjxdUq3Fr3Ypp7/RO7kqSqWfgUrM +-> ssh-ed25519 5VK9ng PJRg2ljsArsWYgAsHk8optwi7P/vZirhhX5FbINHjhs +pFJ2uibaYO2hWfSnyElxrvoFCC3BpcZOrnxET8ynBUI +--- 3vf+8iS73Sk0CeHRLkxxX4kGg+py39sAQVVDniljAEY +\E~D3x螜 `{ 4[&V2\]c4/n=P. +\E8oswbtC(9J 4F-+dR$ٜ:#a)YYHY3yg + +hu nK=kWnW۞ ssh-ed25519 jxhkLg RCq2VAcmya10eK7zwPVFB0klV0zSNkHmF+WlnJXaWzw -8ySn0NB5FNb7a2qJOzx1yiCdH2MTJWBUUPc2i5ytly0 --> ssh-ed25519 tqMvRA sB9nTKSEnh1AQ0rYf1uYmd2CzCabz2hEJF1XTsvrtkk -ASWOYP+4XiLxf2OLbYXRDRTXfiuLqvxN5gkoEauL8c8 --> ssh-ed25519 5VK9ng KkXWseT01qSmhEAeotqEi6CG4zzz+50TrKclYdn57AA -hThUinxaRHWTD/wAhELcYWj6qcQ8V0Ybi60cnUc7pdk ---- h3P58TD8hmBfKLliCDSL4m3bCJHLs80yZ4i/croZp48 -]sM`g|Z=0'xcЄʐ_٥T \ No newline at end of file +-> ssh-ed25519 jxhkLg FFstKIybiFO48aoLNDSnDSdwIHAZEwe7CSWt6+YnqyA +3i7YRHdvQ2kD+frqH1+wvCnWx4py78fahA7AWAEMx1I +-> ssh-ed25519 tqMvRA 5KeC4teldBf/QTudaRtHbP+6LfpZ/m75wxVq4M8LxEU +H8Ee4v44FRfapY8tRGEFOneVzji8QOv/u1uIUD/mrJs +-> ssh-ed25519 5VK9ng K/C8z7WTlyjLsH4n4ufAVrCMCkVgQuFPpyNz6Mcxl24 +dsZ/aO4DIzni7Dkiju8JVPnklhvAdiujunaL7WfAaOc +--- kJ92gmMAzGRD8THcfjF/k00eo3+oMSiETAYR4wJOsj8 +tX&ڽnI3q:<<YC' \ No newline at end of file diff --git a/secrets/papers-environment-file.age b/secrets/papers-environment-file.age index 51e2637..16db7ef 100644 --- a/secrets/papers-environment-file.age +++ b/secrets/papers-environment-file.age @@ -1,11 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 jxhkLg BZflK7sIBRQVRQFl06h25sX5KiWHsu3g39r/8uMpcwE -beZ8ZBKgRvJvY3EEhJ/ylKdDdWTz2u08pvWbVaFg8m8 --> ssh-ed25519 tqMvRA CQtMI9v79kBZoiBrxLY91756LiAJGogbTb+ayd6cRmo -F2MiE9whRNZ73cskxhXeuudvMgA4JOvbtzotNpHMIf4 --> ssh-ed25519 KkzjXA uH+5mcV0ZZ5oKNfq88ihWHY/Z8YpgPjzvkcvhMJOKU8 -4z8x8XyAYsaIkXFylMEAwacHyQEJ/1mYFXsEsdnZ74w ---- vlF5pHK/D7m3ErKazggz4xxdn2hcwGvvIYrZtn2sT8Q -o5 2x6N/NH_SHB^Lh -{,Cjƽ啐451%c_`41@ڑT׸|>vv6 ڭ(^%ս -1xZ>7>Oֱ%-J s@FUGA \ No newline at end of file +-> ssh-ed25519 jxhkLg b83U678xLJlB1FFoxSaeG7JN/4v1sVU4QsITY3j/awc +Dhc/V5R3bK9x7i2ws9FQ4O4HHT6xTlaEKt3SXJhihTk +-> ssh-ed25519 tqMvRA KPLjl31HwXs/ucQ/LJwEL2+px2mSkCk812bGk9rTiWs +qADzPQi44e9QiQpXpoyhNNDuULJhTXo9x0109lyOq10 +-> ssh-ed25519 KkzjXA 6Xwc9hqBdR7LPYNmfEn5+M0n6QTEBkuNTBk/t7ofh3Q +GjcVMhPZ6X4ybBxtIabKFegicdTZbq+zQWvn9PYNeME +--- 3ZY5ysyGfwJ6Y0/FEO7YpsFkAJkn9B4D3gIzpZBPx10 +;v"ޑF>J4^GeZԍ$ʱcLܝ +nj%HM=[]J}IWAEdgWbߚB|_1 \HeLzюUF}E*Խ} +ȱj#_cʭ5}?-< ssh-ed25519 jxhkLg tYj2oLp8OWZtYmj0gKJnEE5G+3tmfPul8tGt5fnnwDs -/SujjcZxvPmZurlLWETwR8JhH8LIJh/MeoogW5VxP8w --> ssh-ed25519 tqMvRA qY8Cv7G1UJm139N9NxA4dAXAfje42n6p7ZajU8r8Fgo -Qw4WobdnlixxHxAwiTCGyeJGzcfOWxslOmS/sYhiTug --> ssh-ed25519 DVDL4g Lkxuay1WN05O7uO+onML4INymrsBf8DrBHyGPhSW5xQ -sAdASiFmiCDRl7WfI5k6Qz+fKY/FG5H9dLucFluSFTI ---- NjnXZAi+St4JHuxdQ6/rpT//nwTwY3MA59MotWicycA -EwLK? i6jw2YMˇrVOP?- \ No newline at end of file +-> ssh-ed25519 jxhkLg Jt0tBomUSwoxIf+D0n2leQ8ULQcrpWJDN4Tm/obLnyg +yct3YGS4BiDsAZPlKZybD7GVoqQdL1EZ6dlHXSY5b8U +-> ssh-ed25519 tqMvRA amDzRhpIGTVsZxAHWSUacZ629OEttMU1VAOVKdCLyFE +2fRvar0fSfbYyw+O4zpE3DusNKtuFDOCVxSzMccaMKg +-> ssh-ed25519 DVDL4g QIXLyMveRBfhcNCrbI0ZpZqjaB5j76ROsXs7pUquZXI +vYciNWwJrTuGOZToE7eoCYhrGOlwqd6tuYeIUXQGjTs +--- 0J/foPauSiv/wNTq2TkTVBnQOqm1dll+xyqwFqM9lpY +Ƃ1LKm+5bo \ No newline at end of file diff --git a/secrets/proxy-dns-provider-config.age b/secrets/proxy-dns-provider-config.age index e7e235d..17e8f4d 100644 Binary files a/secrets/proxy-dns-provider-config.age and b/secrets/proxy-dns-provider-config.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 1e3fd1f..c29f619 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -31,6 +31,10 @@ in group = "nginx"; }; }; + "mail-smtp-relay.age" = { + publicKeys = users ++ [ keys.mail ]; + extra.owner = "postfix"; + }; "matrix-maubot-cfg.age".publicKeys = users ++ [ keys.matrix ]; diff --git a/secrets/yarrr-env.age b/secrets/yarrr-env.age index a1c67ab..1c6a07c 100644 Binary files a/secrets/yarrr-env.age and b/secrets/yarrr-env.age differ