nixos-config/hosts/server/configuration.nix

{ ... }:
let
  myKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArRfRumAbMcRypGundddfVg7t+VOwVeQ+HUQfI9AFbX flygrounder@home";
in
{
  age.secrets.stalwart-admin-password = {
    file = ../../secrets/stalwart-admin-password.age;
    owner = "stalwart-mail";
  };

  users.users = {
    flygrounder = {
      openssh.authorizedKeys.keys = [
        myKey
      ];
    };
    root = {
      openssh.authorizedKeys.keys = [
        myKey
      ];
    };
  };

  home-manager.users.flygrounder.custom = {
    catppuccin.enable = true;
    cli.enable = true;
    neovim.enable = true;
  };

  services = {
    caddy = {
      enable = true;
      virtualHosts = {
        "flygrounder.ru" = {
          extraConfig = ''
            reverse_proxy localhost:1234
          '';
        };
        "mtg-bot.flygrounder.ru" = {
          extraConfig = ''
            reverse_proxy localhost:3000
          '';
        };
        "syncthing.flygrounder.ru" = {
          extraConfig = ''
            reverse_proxy localhost:8384 {
              header_up Host localhost
            }
          '';
        };
        "vaultwarden.flygrounder.ru" = {
          extraConfig = ''
            encode zstd gzip

            reverse_proxy localhost:8222 {
              header_up X-Real-IP {remote_host}
            }
          '';
        };
        "mail.flygrounder.ru" = {
          extraConfig = ''
            reverse_proxy localhost:8080
          '';
        };
      };
    };
    stalwart = {
      enable = true;
      openFirewall = true;
      settings = {
        server = {
          hostname = "mail.flygrounder.ru";
          tls = {
            enable = true;
            implicit = true;
          };
          listener = {
            smtp = {
              protocol = "smtp";
              bind = "0.0.0.0:25";
            };
            submissions = {
              bind = "0.0.0.0:465";
              protocol = "smtp";
              tls.implicit = true;
            };
            imaps = {
              bind = "0.0.0.0:993";
              protocol = "imap";
              tls.implicit = true;
            };
            jmap = {
              bind = "127.0.0.1:8080";
              protocol = "http";
            };
          };
        };
        certificate."default" = {
          cert = "%{file:/var/lib/stalwart-mail/certs/mail.flygrounder.ru.crt}%";
          private-key = "%{file:/var/lib/stalwart-mail/certs/mail.flygrounder.ru.key}%";
        };

        authentication.fallback-admin = {
          user = "admin";
          secret = "%{file:/run/agenix/stalwart-admin-password}%";
        };
        tracer."log" = {
          type = "log";
          path = "/var/log/stalwart-mail";
        };
      };
    };
    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
      };
    };
    vaultwarden = {
      enable = true;
      config = {
        DOMAIN = "https://vaultwarden.flygrounder.ru";
        SIGNUPS_ALLOWED = false;

        ROCKET_ADDRESS = "127.0.0.1";
        ROCKET_PORT = 8222;
        ROCKET_LOG = "critical";
      };
    };
  };

  systemd.paths.stalwart-certs = {
    wantedBy = [ "multi-user.target" ];
    pathConfig = {
      PathModified = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.crt";
    };
  };

  systemd.services.stalwart-certs = {
    after = [ "caddy.service" ];
    before = [ "stalwart.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
    };
    script = ''
      mkdir -p /var/lib/stalwart-mail/certs
      cp -L /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.crt /var/lib/stalwart-mail/certs/
      cp -L /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.key /var/lib/stalwart-mail/certs/
      chown stalwart-mail:stalwart-mail /var/lib/stalwart-mail/certs/*
      chmod 600 /var/lib/stalwart-mail/certs/*
    '';
    postStop = ''
      if systemctl is-active --quiet stalwart.service; then
        systemctl --no-block restart stalwart.service
      fi
    '';
  };

  systemd.services.stalwart.after = [ "stalwart-certs.service" ];
  systemd.services.stalwart.requires = [ "stalwart-certs.service" ];

  imports = [
    ./hardware-configuration.nix
    ./disko-config.nix
  ];

  nix.settings.trusted-users = [ "flygrounder" ];

  networking = {
    firewall = {
      allowedTCPPorts = [
        80
        443
        25
        465
        993
      ];
    };
    nameservers = [
      "1.1.1.1"
      "8.8.8.8"
    ];
    interfaces.ens3.ipv4.addresses = [
      {
        address = "62.109.27.62";
        prefixLength = 32;
      }
    ];
    defaultGateway = {
      address = "10.0.0.1";
      interface = "ens3";
    };
  };
}