{ ... }: let myKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArRfRumAbMcRypGundddfVg7t+VOwVeQ+HUQfI9AFbX flygrounder@home"; in { age.secrets.stalwart-admin-password = { file = ../../secrets/stalwart-admin-password.age; owner = "stalwart-mail"; }; users.users = { flygrounder = { openssh.authorizedKeys.keys = [ myKey ]; }; root = { openssh.authorizedKeys.keys = [ myKey ]; }; }; home-manager.users.flygrounder.custom = { catppuccin.enable = true; cli.enable = true; neovim.enable = true; }; services = { caddy = { enable = true; virtualHosts = { "flygrounder.ru" = { extraConfig = '' reverse_proxy localhost:1234 ''; }; "mtg-bot.flygrounder.ru" = { extraConfig = '' reverse_proxy localhost:3000 ''; }; "syncthing.flygrounder.ru" = { extraConfig = '' reverse_proxy localhost:8384 { header_up Host localhost } ''; }; "vaultwarden.flygrounder.ru" = { extraConfig = '' encode zstd gzip reverse_proxy localhost:8222 { header_up X-Real-IP {remote_host} } ''; }; "mail.flygrounder.ru" = { extraConfig = '' reverse_proxy localhost:8080 ''; }; }; }; stalwart = { enable = true; openFirewall = true; settings = { server = { hostname = "mail.flygrounder.ru"; tls = { enable = true; implicit = true; }; listener = { smtp = { protocol = "smtp"; bind = "0.0.0.0:25"; }; submissions = { bind = "0.0.0.0:465"; protocol = "smtp"; tls.implicit = true; }; imaps = { bind = "0.0.0.0:993"; protocol = "imap"; tls.implicit = true; }; jmap = { bind = "127.0.0.1:8080"; protocol = "http"; }; }; }; certificate."default" = { cert = "%{file:/var/lib/stalwart-mail/certs/mail.flygrounder.ru.crt}%"; private-key = "%{file:/var/lib/stalwart-mail/certs/mail.flygrounder.ru.key}%"; }; authentication.fallback-admin = { user = "admin"; secret = "%{file:/run/agenix/stalwart-admin-password}%"; }; tracer."log" = { type = "log"; path = "/var/log/stalwart-mail"; }; }; }; openssh = { enable = true; settings = { PasswordAuthentication = false; }; }; vaultwarden = { enable = true; config = { DOMAIN = "https://vaultwarden.flygrounder.ru"; SIGNUPS_ALLOWED = false; ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = 8222; ROCKET_LOG = "critical"; }; }; }; systemd.paths.stalwart-certs = { wantedBy = [ "multi-user.target" ]; pathConfig = { PathModified = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.crt"; }; }; systemd.services.stalwart-certs = { after = [ "caddy.service" ]; before = [ "stalwart.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; }; script = '' mkdir -p /var/lib/stalwart-mail/certs cp -L /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.crt /var/lib/stalwart-mail/certs/ cp -L /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.key /var/lib/stalwart-mail/certs/ chown stalwart-mail:stalwart-mail /var/lib/stalwart-mail/certs/* chmod 600 /var/lib/stalwart-mail/certs/* ''; postStop = '' if systemctl is-active --quiet stalwart.service; then systemctl --no-block restart stalwart.service fi ''; }; systemd.services.stalwart.after = [ "stalwart-certs.service" ]; systemd.services.stalwart.requires = [ "stalwart-certs.service" ]; imports = [ ./hardware-configuration.nix ./disko-config.nix ]; nix.settings.trusted-users = [ "flygrounder" ]; networking = { firewall = { allowedTCPPorts = [ 80 443 25 465 993 ]; }; nameservers = [ "1.1.1.1" "8.8.8.8" ]; interfaces.ens3.ipv4.addresses = [ { address = "62.109.27.62"; prefixLength = 32; } ]; defaultGateway = { address = "10.0.0.1"; interface = "ens3"; }; }; }