init: mailserver

configuration.nix

@@ -115,6 +115,8 @@
     filebrowser
     dufs
     git
+    git-graph
+    gitui
     helix
     nil
     starship

coturn.nix

@@ -56,17 +56,30 @@
       allowedTCPPorts = [ 3478 5349 ];
     };
   };
-  # get a certificate
-  security.acme.certs.${config.services.coturn.realm} = {
-    /* insert here the right configuration to obtain a certificate */
-    postRun = "systemctl restart coturn.service";
-    group = "turnserver";
+  services.nginx = {
+    enable = true;
+    virtualHosts."turn.sondell.org" = {
+      forceSSL = true;
+      enableACME = true;
+    };
   };
-  # configure synapse to point users to coturn
-  # services.matrix-synapse = with config.services.coturn; {
-  #   turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
-  #   turn_shared_secret = static-auth-secret;
-  #   turn_user_lifetime = "1h";
+  # get a certificate
+  users.users.nginx.extraGroups = [
+    "turnserver"
+  ];
+  # security.acme.certs.${config.services.coturn.realm} = {
+  #   /* insert here the right configuration to obtain a certificate */
+  #   postRun = "systemctl restart coturn.service";
+  #   group = "turnserver";
   # };
+  # configure synapse to point users to coturn
+  services.matrix-synapse = with config.services.coturn; {
+    settings.turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
+    settings.turn_user_lifetime = "1h";
+    # turn_shared_secret = static-auth-secret;
+    extraConfigFiles = [
+      config.services.coturn.static-auth-secret-file
+    ];
+  };
 }
 

dbg/err.log

@@ -0,0 +1,104 @@
+apr 03 10:27:48 nixos Nextcloud[150872]: {"reqId":"pW9oiFQa0uFJNtYkN650",
+"level":4,
+"time":"2024-04-03T08:27:48+00:00",
+"remoteAddr":"",
+"user":"--",
+"app":"no app in context",
+"method":"",
+"url":"--",
+"message":"{\"Exception\":\"RedisException\",
+\"Message\":\"ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?\",
+\"Code\":0,
+\"Trace\":[{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/RedisFactory.php\",
+\"line\":123,
+\"function\":\"auth\",
+\"class\":\"Redis\",
+\"type\":\"->\",
+\"args\":[\"*** sensitive parameters replaced ***\"]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/RedisFactory.php\",
+\"line\":158,
+\"function\":\"create\",
+\"class\":\"OC\\\\RedisFactory\",
+\"type\":\"->\",
+\"args\":[\"*** sensitive parameters replaced ***\"]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/Memcache/Redis.php\",
+\"line\":70,
+\"function\":\"getInstance\",
+\"class\":\"OC\\\\RedisFactory\",
+\"type\":\"->\",
+\"args\":[]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/Memcache/Redis.php\",
+\"line\":76,
+\"function\":\"getCache\",
+\"class\":\"OC\\\\Memcache\\\\Redis\",
+\"type\":\"->\",
+\"args\":[]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/apps/workflowengine/lib/Manager.php\",
+\"line\":113,
+\"function\":\"get\",
+\"class\":\"OC\\\\Memcache\\\\Redis\",
+\"type\":\"->\",
+\"args\":[\"events\"]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/apps/workflowengine/lib/AppInfo/Application.php\",
+\"line\":71,
+\"function\":\"getAllConfiguredEvents\",
+\"class\":\"OCA\\\\WorkflowEngine\\\\Manager\",
+\"type\":\"->\",
+\"args\":[]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/AppFramework/Bootstrap/FunctionInjector.php\",
+\"line\":45,
+\"function\":\"registerRuleListeners\",
+\"class\":\"OCA\\\\WorkflowEngine\\\\AppInfo\\\\Application\",
+\"type\":\"->\",
+\"args\":[[\"OC\\\\EventDispatcher\\\\EventDispatcher\"],
+[\"OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer\"],
+[\"OC\\\\AppFramework\\\\ScopedPsrLogger\"]]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/AppFramework/Bootstrap/BootContext.php\",
+\"line\":50,
+\"function\":\"injectFn\",
+\"class\":\"OC\\\\AppFramework\\\\Bootstrap\\\\FunctionInjector\",
+\"type\":\"->\",
+\"args\":[[\"Closure\"]]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/apps/workflowengine/lib/AppInfo/Application.php\",
+\"line\":63,
+\"function\":\"injectFn\",
+\"class\":\"OC\\\\AppFramework\\\\Bootstrap\\\\BootContext\",
+\"type\":\"->\",
+\"args\":[[\"Closure\"]]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/AppFramework/Bootstrap/Coordinator.php\",
+\"line\":200,
+\"function\":\"boot\",
+\"class\":\"OCA\\\\WorkflowEngine\\\\AppInfo\\\\Application\",
+\"type\":\"->\",
+\"args\":[[\"OC\\\\AppFramework\\\\Bootstrap\\\\BootContext\"]]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/App/AppManager.php\",
+\"line\":434,
+\"function\":\"bootApp\",
+\"class\":\"OC\\\\AppFramework\\\\Bootstrap\\\\Coordinator\",
+\"type\":\"->\",
+\"args\":[\"workflowengine\"]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/App/AppManager.php\",
+\"line\":213,
+\"function\":\"loadApp\",
+\"class\":\"OC\\\\App\\\\AppManager\",
+\"type\":\"->\",
+\"args\":[\"workflowengine\"]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/legacy/OC_App.php\",
+\"line\":125,
+\"function\":\"loadApps\",
+\"class\":\"OC\\\\App\\\\AppManager\",
+\"type\":\"->\",
+\"args\":[[]]},
+{\"file\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/cron.php\",
+\"line\":55,
+\"function\":\"loadApps\",
+\"class\":\"OC_App\",
+\"type\":\"::\",
+\"args\":[]}],
+\"File\":\"/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3/lib/private/RedisFactory.php\",
+\"Line\":123,
+\"message\":\"Could not boot workflowengine: ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?\",
+\"exception\":{},
+\"CustomMessage\":\"Could not boot workflowengine: ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?\"}",
+"userAgent":"--",
+"version":"28.0.3.2"}

dbg/nextcloud

@@ -0,0 +1 @@
+/nix/store/75z9bwr5zn527sj6wg6f8g737k7yhlrl-nextcloud-28.0.3

dbg/nextcloud.cfg

@@ -0,0 +1 @@
+/var/lib/nextcloud

dbg/nextredis.cfg

@@ -0,0 +1 @@
+/var/lib/redis-nextcloud

dbg/redis-nixos.conf

@@ -0,0 +1 @@
+/nix/store/alsv8fyd8m1j006sz7c6p8x9cn9kmz7f-redis.conf

filebrowser.nix

@@ -19,7 +19,7 @@ in
   };
 
   systemd.services.tailBrowser = with pkgs; {
-    enable = true;
+    enable = false;
     description = "serve via tailscale filebrowser";
     wantedBy = [ "multi-user.target" ];
     unitConfig = {

flake.lock

@@ -1,5 +1,37 @@
 {
   "nodes": {
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
@@ -39,13 +71,36 @@
         "url": "https://git.sondell.org/glennwso/home.git"
       }
     },
+    "nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1710449465,
+        "narHash": "sha256-2orO8nfplp6uQJBFqKkj1iyNMC6TysmwbWwbb4osTag=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "79c8cfcd5873a85559da6201b116fb38b490d030",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709237383,
-        "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=",
+        "lastModified": 1711703276,
+        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8",
+        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
         "type": "github"
       },
       "original": {
@@ -58,6 +113,7 @@
     "root": {
       "inputs": {
         "home": "home",
+        "nixos-mailserver": "nixos-mailserver",
         "nixpkgs": "nixpkgs"
       }
     },
@@ -75,6 +131,39 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1709126324,
+        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -2,11 +2,16 @@
   inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
   inputs.home.url = "git+https://git.sondell.org/glennwso/home.git";
   inputs.home.inputs.nixpkgs.follows = "nixpkgs";
+  inputs.nixos-mailserver = {
+    url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
+    inputs.nixpkgs.follows = "nixpkgs";
+  };
 
-  outputs = { self, nixpkgs, home }@attrs:
+  outputs = { self, nixpkgs, home, nixos-mailserver}@attrs:
   let 
     system = "x86_64-linux";
     homepage = home.packages.${system}.default;
+    mailserver = nixos-mailserver.nixosModules.default;
   in
    {
     # replace 'joes-desktop' with your hostname here.
@@ -24,8 +29,9 @@
         ./filebrowser.nix
         ./tail.nix
         ./matrix.nix
+        ./coturn.nix  
+        (import ./mail.nix {inherit mailserver;})
         (import ./homepage.nix {inherit homepage;})
-        # ./coturn.nix  # disabled becouse tls not solved
       ];
 
     };

forgejo.nix

@@ -28,6 +28,8 @@ in
   };
 
   services.nginx.virtualHosts.${domain} = {
+    enableACME = true;
+    forceSSL = true;
     locations."/" = {
       proxyPass = "http://localhost:3000/";
     };

mail.nix

@@ -0,0 +1,40 @@
+{ mailserver , ... }:
+{
+  imports = [
+    mailserver
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.sondell.org";
+    domains = [ "sondell.org" ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # cat .secrets/nextadminpw | nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' > .secrets/mailpw.hash
+    loginAccounts = {
+      "admin@sondell.org" = {
+        hashedPasswordFile = "/etc/nixos/.secrets/mailpw.hash";
+        aliases = ["info@sondell.org"];
+      };
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = "acme-nginx";
+  };
+
+  # services.roundcube = {
+  #    enable = true;
+  #    # this is the url of the vhost, not necessarily the same as the fqdn of
+  #    # the mailserver
+  #    hostName = "webmail.sondell.org";
+  #    extraConfig = ''
+  #      # starttls needed for authentication, so the fqdn required to match
+  #      # the certificate
+  #      $config['smtp_server'] = "tls://${mailserver.fqdn}";
+  #      $config['smtp_user'] = "%u";
+  #      $config['smtp_pass'] = "%p";
+  #    '';
+  # };
+  
+}

matrix.nix

@@ -2,7 +2,6 @@
 
 let
   domain = "sondell.org";
-  matrixAdress = "m.${domain}";
   hostName = "matrix";
   fqdn = "${hostName}.${domain}";
   baseUrl = "https://${fqdn}";
@@ -53,11 +52,11 @@ services.postgresql = {
 
   services.nginx.virtualHosts = {
     ${fqdn} = {
-      # enableACME = true;
-      # forceSSL = true;
-      locations."/".extraConfig = ''
-        return 404;
-      '';
+      enableACME = true;
+      forceSSL = true;
+      # locations."/".extraConfig = ''
+      #   return 404;
+      # '';
       # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
       # *must not* be used here.
       locations."/_matrix".proxyPass = "http://[::1]:8008";
@@ -65,21 +64,21 @@ services.postgresql = {
       locations."/_synapse/client".proxyPass = "http://[::1]:8008";
     };
 
-    ${matrixAdress} = {
-      # enableACME = true;
-      # forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://localhost:8008";
-      };
-    #   # This section is not needed if the server_name of matrix-synapse is equal to
-    #   # the domain (i.e. example.org from @foo:example.org) and the federation port
-    #   # is 8448.
-    #   # Further reference can be found in the docs about delegation under
-    #   # https://element-hq.github.io/synapse/latest/delegate.html
+    ${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      # locations."/" = {
+      #   proxyPass = "http://localhost:8008";
+      # };
+      # This section is not needed if the server_name of matrix-synapse is equal to
+      # the domain (i.e. example.org from @foo:example.org) and the federation port
+      # is 8448.
+      # Further reference can be found in the docs about delegation under
+      # https://element-hq.github.io/synapse/latest/delegate.html
       locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
-    #   # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
-    #   # Further reference can be found in the upstream docs at
-    #   # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
+      # This is usually needed for homeserver discovery (from e.g. other Matrix clients).
+      # Further reference can be found in the upstream docs at
+      # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
       locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
     };
   };

nextcloud.nix

@@ -1,24 +1,18 @@
 { self, config, lib, pkgs, ... }: 
-let domain = "cloud.sondell.org";
+let 
+domain = "cloud.sondell.org";
+nextcloud = pkgs.nextcloud28;
 in
 {
-  # Based on https://carjorvaz.com/posts/the-holy-grail-nextcloud-setup-made-easy-by-nixos/
-  # security.acme = {
-  #   acceptTerms = true;
-  #   defaults = {
-  #     email = "glennpub@proton.me";
-  #     dnsProvider = "cloudflare";
-  # #     # location of your CLOUDFLARE_DNS_API_TOKEN=[value]
-  # #     # https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#EnvironmentFile=
-  #     environmentFile = "/REPLACE/WITH/YOUR/PATH";
-  #   };
-  # };
 
+  environment.systemPackages = [
+    nextcloud
+  ];
   services = {
     nginx.virtualHosts = {
       ${domain} = {
-        # forceSSL = true;
-        # enableACME = true;
+        forceSSL = true;
+        enableACME = true;
         # Use DNS Challenege.
         # acmeRoot = null;
       };
@@ -29,24 +23,27 @@ in
       enable = true;
       hostName = domain;
       # Need to manually increment with every major upgrade.
-      package = pkgs.nextcloud28;
+      package = nextcloud;
       # Let NixOS install and configure the database automatically.
       database.createLocally = true;
-      # Let NixOS install and configure Redis caching automatically.
-      configureRedis = true;
       # Increase the maximum file upload size.
       maxUploadSize = "16G";
       https = true;
       autoUpdateApps.enable = true;
       extraAppsEnable = true;
+      # Let NixOS install and configure Redis caching automatically.
+      configureRedis = true;
+      settings = {
+        maintenance_window_start = 1;
+      };
       extraOptions = {
-        redis = {
-           host = "/run/redis/redis.sock";
-           port = 0;
-           dbindex = 0;
-           password = "secret";
-           timeout = 1.5;
-       };
+       #  redis = {
+       #     # host = "/run/redis/redis.sock";
+       #     port = 0;
+       #     dbindex = 0;
+       #     password = "secret";
+       #     timeout = 1.5;
+       # };
       };
       extraApps = with config.services.nextcloud.package.packages.apps; {
         # List of apps we want to install and are already packaged in
@@ -55,7 +52,7 @@ in
       };
       config = {
         overwriteProtocol = "https";
-        # defaultPhoneRegion = "US";
+        defaultPhoneRegion = "SE";
         dbtype = "pgsql";
         adminuser = "admin";
         adminpassFile = "/etc/nixos/.secrets/nextadminpw";
@@ -69,4 +66,14 @@ in
     #   startAt = "*-*-* 01:15:00";
     # };
   };
+  services.onlyoffice = {
+    enable = true;
+    port = 8123;
+    hostname = "office.sondell.org";
+  };
+  services.nginx.virtualHosts."office.sondell.org" = {
+    forceSSL = true;
+    enableACME = true;
+  #   locations."/".proxyPass = "http://12:8123";
+  };
 }

tail.nix

@@ -1,7 +1,7 @@
 { config, ... }:
 {
   services.tailscale = {
-    enable =true;
+    enable =false;
     useRoutingFeatures = "both";
     extraUpFlags = [
       "--advertise-exit-node"

tunnel.nix

@@ -3,19 +3,19 @@
   services.nginx = {
     enable = true;
     clientMaxBodySize = "10g";
-    defaultHTTPListenPort = 1234;
+    # defaultHTTPListenPort = 1234;
   };
   services.cloudflared = {
-    enable = true;
-    tunnels = {
-      "tulpan" = {
-        credentialsFile = "/etc/nixos/.secrets/tulpan-tunnel.json";
-        default = "http_status:404";
-        ingress = {
-          "*.sondell.org" = "http://localhost:1234";
-          "sondell.org" = "http://localhost:1234";
-        };
-      };
-    };
+    enable = false;
+    # tunnels = {
+    #   "tulpan" = {
+    #     credentialsFile = "/etc/nixos/.secrets/tulpan-tunnel.json";
+    #     default = "http_status:404";
+    #     ingress = {
+    #       "*.sondell.org" = "http://localhost:1234";
+    #       "sondell.org" = "http://localhost:1234";
+    #     };
+    #   };
+    # };
   }; 
 }