feat: add idmail for aliases

2025-10-10 23:00:39 +02:00 · 2024-07-26 14:58:32 +02:00 · 2024-07-26 14:58:32 +02:00 · 7f7b053e0a
commit 7f7b053e0a
parent cb4f4f251f
9 changed files with 607 additions and 136 deletions
--- a/config/default.nix
+++ b/config/default.nix
@ -10,6 +10,7 @@
    inputs.disko.nixosModules.disko
    inputs.elewrap.nixosModules.default
    inputs.home-manager.nixosModules.default
+    inputs.idmail.nixosModules.default
    inputs.impermanence.nixosModules.impermanence
    inputs.nix-topology.nixosModules.default
    inputs.nixos-extra-modules.nixosModules.default
--- a/config/users.nix
+++ b/config/users.nix
@ -34,5 +34,6 @@
    minecraft = uidGid 975;
    stalwart-mail = uidGid 974;
    netbird-home = uidGid 973;
+    idmail = uidGid 972;
  };
 }
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -33,6 +33,11 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    idmail = {
+      url = "github:oddlama/idmail";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    impermanence.url = "github:nix-community/impermanence";

    microvm = {
--- a/hosts/envoy/default.nix
+++ b/hosts/envoy/default.nix
@ -12,7 +12,7 @@
    ./acme.nix
    ./fs.nix
    ./net.nix
-    #./maddy.nix
+    ./idmail.nix
    ./stalwart-mail.nix
  ];

--- a/hosts/envoy/idmail.nix
+++ b/hosts/envoy/idmail.nix
@ -0,0 +1,42 @@
+{config, ...}: let
+  mailDomains = config.repo.secrets.global.domains.mail;
+  primaryDomain = mailDomains.primary;
+  idmailDomain = "alias.${primaryDomain}";
+in {
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/idmail";
+      user = "idmail";
+      group = "idmail";
+      mode = "0700";
+    }
+  ];
+
+  globals.services.idmail.domain = idmailDomain;
+  globals.monitoring.http.idmail = {
+    url = "https://${idmailDomain}";
+    expectedBodyRegex = "idmail";
+    network = "internet";
+  };
+
+  services.idmail.enable = true;
+  systemd.services.idmail.serviceConfig.RestartSec = "60"; # Retry every minute
+
+  services.nginx = {
+    upstreams.idmail = {
+      servers."127.0.0.1:3000" = {};
+      extraConfig = ''
+        zone idmail 64k;
+        keepalive 2;
+      '';
+    };
+    virtualHosts.${idmailDomain} = {
+      forceSSL = true;
+      useACMEWildcardHost = true;
+      locations."/" = {
+        proxyPass = "http://idmail";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
--- a/hosts/envoy/secrets/stalwart-admin-hash.age
+++ b/hosts/envoy/secrets/stalwart-admin-hash.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 4dtyNzQ1aoj+se7IxhCnN9A8bOmhPxm3bibijfCNjVw
+PoRE6VrM+shoneZJAS+Fh/kIjn9tX6mw9Kr2vD3xOSE
+-> piv-p256 xqSe8Q AwvKCfsTHQh3Z05VZ3kRtaa90pqyR3tY+wKwwibfdvzF
+dFjn+siQjWdhMVCGsiZyFNBykTrCIrHr9zt3aRxtSQc
+-> A'xo-grease KM'D
+4D/ij+JrWVbUTv75EljIaE8L9JhFP3Dz
+--- inyuu2A3QIBGnRj8WyQKX8+XdVDBCmANdyaHkQ0ZS7s
+”_hð”u‘ã³ŠÏPÖ?I'ó°Fi�ñÙÞ¶3»ÓÊý¸e‰t)ÚÃàEñ‡›à,�¯	·÷ê«3ŸrQ”X?mo¬ÃÕ—YuÒHi90öÆ7€áé*•§ßÕZH—]z¨:XzÖ
+oóT™3(DšØþ7¨à�ð®÷á
+×ô@¯�fšû³UúÝZ„<ñÎ·(©E‘ï–TG:¹sÇÑ‚—Æ‘“4€<â5UÞšÖª²·½‘R*_`BoŒ˜æ
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@ -32,6 +32,7 @@
            nixpkgs.overlays =
              (import ../pkgs/default.nix inputs)
              ++ [
+                inputs.idmail.overlays.default
                inputs.nix-topology.overlays.default
                inputs.nixos-extra-modules.overlays.default
                inputs.nixvim.overlays.default
--- a/secrets/rekeyed/envoy/48b9b9d8780a065399e9dae22f1491b0-stalwart-admin-hash.age
+++ b/secrets/rekeyed/envoy/48b9b9d8780a065399e9dae22f1491b0-stalwart-admin-hash.age