From ecb6d1ef63bff1da93c73e026d2710719283b14e Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Sat, 11 Mar 2023 22:36:52 -0700
Subject: [PATCH] Migrate mailserver to ponyo

---
 common/network/pia-wireguard.nix | 10 ++--
 common/server/default.nix        |  2 +
 common/server/gitea.nix          |  9 ++--
 common/server/mailserver.nix     | 72 +++++++++++++++++++++++++++
 common/server/nextcloud.nix      | 26 ++++++++++
 machines/liza/configuration.nix  | 84 --------------------------------
 machines/ponyo/configuration.nix |  3 +-
 7 files changed, 113 insertions(+), 93 deletions(-)
 create mode 100644 common/server/mailserver.nix
 create mode 100644 common/server/nextcloud.nix

diff --git a/common/network/pia-wireguard.nix b/common/network/pia-wireguard.nix
index 802b686..022ee88 100644
--- a/common/network/pia-wireguard.nix
+++ b/common/network/pia-wireguard.nix
@@ -32,11 +32,11 @@ in {
       type = lib.types.str;
       default = "piaw";
     };
-    # forwardedPort = lib.mkOption {
-    #   type = lib.types.port;
-    #   description = "The port to redirect port forwarded TCP VPN traffic too";
-    #   default = 15050;
-    # };
+    forwardedPort = lib.mkOption {
+      type = lib.types.port;
+      description = "The port to redirect port forwarded TCP VPN traffic too";
+      default = 15050;
+    };
     # TODO allow disabling this
     portForwarding = lib.mkEnableOption "Enables PIA port fowarding";
 
diff --git a/common/server/default.nix b/common/server/default.nix
index 6f0f673..d2b802c 100644
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -14,5 +14,7 @@
     ./radio.nix
     ./samba.nix
     ./owncast.nix
+    ./mailserver.nix
+    ./nextcloud.nix
   ];
 }
\ No newline at end of file
diff --git a/common/server/gitea.nix b/common/server/gitea.nix
index 73b5c26..60ef1b3 100644
--- a/common/server/gitea.nix
+++ b/common/server/gitea.nix
@@ -14,11 +14,8 @@ in {
       domain = cfg.hostname;
       rootUrl = "https://${cfg.hostname}/";
       appName = cfg.hostname;
-      ssh.enable = true;
       # lfs.enable = true;
       dump.enable = true;
-      cookieSecure = true;
-      disableRegistration = true;
       settings = {
         other = {
           SHOW_FOOTER_VERSION = false;
@@ -26,6 +23,12 @@ in {
         ui = {
           DEFAULT_THEME = "arc-green";
         };
+        service = {
+          DISABLE_REGISTRATION = true;
+        };
+        session = {
+          COOKIE_SECURE = true;
+        };
       };
     };
     services.nginx.enable = true;
diff --git a/common/server/mailserver.nix b/common/server/mailserver.nix
new file mode 100644
index 0000000..1854d38
--- /dev/null
+++ b/common/server/mailserver.nix
@@ -0,0 +1,72 @@
+{ config, pkgs, lib, ... }:
+
+
+let
+  cfg = config.mailserver;
+in {
+  config = lib.mkIf cfg.enable {
+    mailserver = {
+      fqdn = "mail.neet.dev";
+      dkimKeyBits = 2048;
+      indexDir = "/var/lib/mailindex";
+      enableManageSieve = true;
+      fullTextSearch.enable = true;
+      fullTextSearch.indexAttachments = true;
+      fullTextSearch.memoryLimit = 500;
+      domains = [
+        "neet.space" "neet.dev" "neet.cloud"
+        "runyan.org" "runyan.rocks"
+        "thunderhex.com" "tar.ninja"
+        "bsd.ninja" "bsd.rocks"
+      ];
+      loginAccounts = {
+        "jeremy@runyan.org" = {
+          hashedPasswordFile = "/run/agenix/email-pw";
+          aliases = [
+            "@neet.space" "@neet.cloud" "@neet.dev"
+            "@runyan.org" "@runyan.rocks"
+            "@thunderhex.com" "@tar.ninja"
+            "@bsd.ninja" "@bsd.rocks"
+          ];
+        };
+      };
+      rejectRecipients = [
+        "george@runyan.org"
+        "joslyn@runyan.org"
+        "damon@runyan.org"
+        "jonas@runyan.org"
+      ];
+      certificateScheme = 3; # use let's encrypt for certs
+    };
+    age.secrets.email-pw.file = ../../secrets/email-pw.age;
+
+    # sendmail to use xxx@domain instead of xxx@mail.domain
+    services.postfix.origin = "$mydomain";
+
+    # relay sent mail through mailgun
+    # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
+    services.postfix.config = {
+      smtp_sasl_auth_enable = "yes";
+      smtp_sasl_security_options = "noanonymous";
+      smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
+      smtp_use_tls = "yes";
+      sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
+      smtp_sender_dependent_authentication = "yes";
+    };
+    services.postfix.mapFiles.sender_relay = let
+      relayHost = "[smtp.mailgun.org]:587";
+    in pkgs.writeText "sender_relay" ''
+      @neet.space ${relayHost}
+      @neet.cloud ${relayHost}
+      @neet.dev ${relayHost}
+      @runyan.org ${relayHost}
+      @runyan.rocks ${relayHost}
+      @thunderhex.com ${relayHost}
+      @tar.ninja ${relayHost}
+      @bsd.ninja ${relayHost}
+      @bsd.rocks ${relayHost}
+    '';
+    services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
+    age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
+  };
+}
\ No newline at end of file
diff --git a/common/server/nextcloud.nix b/common/server/nextcloud.nix
new file mode 100644
index 0000000..a76abcc
--- /dev/null
+++ b/common/server/nextcloud.nix
@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+
+
+let
+  cfg = config.services.nextcloud;
+in {
+  config = lib.mkIf cfg.enable {
+    services.nextcloud = {
+      https = true;
+      package = pkgs.nextcloud23;
+      hostName = "neet.cloud";
+      config.dbtype = "sqlite";
+      config.adminuser = "jeremy";
+      config.adminpassFile = "/run/agenix/nextcloud-pw";
+      autoUpdateApps.enable = true;
+    };
+    age.secrets.nextcloud-pw = {
+      file = ../../secrets/nextcloud-pw.age;
+      owner = "nextcloud";
+    };
+    services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}
\ No newline at end of file
diff --git a/machines/liza/configuration.nix b/machines/liza/configuration.nix
index 5c5e1ac..5f6294e 100644
--- a/machines/liza/configuration.nix
+++ b/machines/liza/configuration.nix
@@ -10,88 +10,4 @@
   networking.hostName = "liza";
 
   networking.interfaces.enp1s0.useDHCP = true;
-
-  mailserver = {
-    enable = true;
-    fqdn = "mail.neet.dev";
-    dkimKeyBits = 2048;
-    indexDir = "/var/lib/mailindex";
-    enableManageSieve = true;
-    fullTextSearch.enable = true;
-    fullTextSearch.indexAttachments = true;
-    fullTextSearch.memoryLimit = 500;
-    domains = [
-      "neet.space" "neet.dev" "neet.cloud"
-      "runyan.org" "runyan.rocks"
-      "thunderhex.com" "tar.ninja"
-      "bsd.ninja" "bsd.rocks"
-    ];
-    loginAccounts = {
-      "jeremy@runyan.org" = {
-        hashedPasswordFile = "/run/agenix/email-pw";
-        aliases = [
-          "@neet.space" "@neet.cloud" "@neet.dev"
-          "@runyan.org" "@runyan.rocks"
-          "@thunderhex.com" "@tar.ninja"
-          "@bsd.ninja" "@bsd.rocks"
-        ];
-      };
-    };
-    rejectRecipients = [
-      "george@runyan.org"
-      "joslyn@runyan.org"
-      "damon@runyan.org"
-      "jonas@runyan.org"
-    ];
-    certificateScheme = 3; # use let's encrypt for certs
-  };
-  age.secrets.email-pw.file = ../../secrets/email-pw.age;
-
-  # sendmail to use xxx@domain instead of xxx@mail.domain
-  services.postfix.origin = "$mydomain";
-
-  # relay sent mail through mailgun
-  # https://www.howtoforge.com/community/threads/different-smtp-relays-for-different-domains-in-postfix.82711/#post-392620
-  services.postfix.config = {
-    smtp_sasl_auth_enable = "yes";
-    smtp_sasl_security_options = "noanonymous";
-    smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/sasl_relay_passwd";
-    smtp_use_tls = "yes";
-    sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
-    smtp_sender_dependent_authentication = "yes";
-  };
-  services.postfix.mapFiles.sender_relay = let
-    relayHost = "[smtp.mailgun.org]:587";
-  in pkgs.writeText "sender_relay" ''
-    @neet.space ${relayHost}
-    @neet.cloud ${relayHost}
-    @neet.dev ${relayHost}
-    @runyan.org ${relayHost}
-    @runyan.rocks ${relayHost}
-    @thunderhex.com ${relayHost}
-    @tar.ninja ${relayHost}
-    @bsd.ninja ${relayHost}
-    @bsd.rocks ${relayHost}
-  '';
-  services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
-  age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
-
-  services.nextcloud = {
-    enable = true;
-    https = true;
-    package = pkgs.nextcloud22;
-    hostName = "neet.cloud";
-    config.dbtype = "sqlite";
-    config.adminuser = "jeremy";
-    config.adminpassFile = "/run/agenix/nextcloud-pw";
-    autoUpdateApps.enable = true;
-  };
-  age.secrets.nextcloud-pw = {
-    file = ../../secrets/nextcloud-pw.age;
-    owner = "nextcloud";
-  };
-  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
-    enableACME = true;
-    forceSSL = true;
-  };
 }
diff --git a/machines/ponyo/configuration.nix b/machines/ponyo/configuration.nix
index 1ce0d31..cb759cf 100644
--- a/machines/ponyo/configuration.nix
+++ b/machines/ponyo/configuration.nix
@@ -11,10 +11,11 @@
 
   services.zerotierone.enable = true;
 
+  mailserver.enable = true;
+
   services.gitea = {
     enable = true;
     hostname = "git.neet.dev";
-    disableRegistration = true;
   };
 
   services.thelounge = {