forgejo: setup mailer

flake.lock

@@ -52,6 +52,22 @@
         "type": "github"
       }
     },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "crane": {
       "locked": {
         "lastModified": 1727974419,
@@ -132,12 +148,28 @@
       },
       "original": {
         "owner": "edolstra",
-        "ref": "v1.0.1",
         "repo": "flake-compat",
         "type": "github"
       }
     },
     "flake-compat_4": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "ref": "v1.0.1",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_5": {
       "flake": false,
       "locked": {
         "lastModified": 1650374568,
@@ -153,7 +185,7 @@
         "type": "github"
       }
     },
-    "flake-compat_5": {
+    "flake-compat_6": {
       "flake": false,
       "locked": {
         "lastModified": 1650374568,
@@ -296,7 +328,7 @@
     },
     "flake-utils_5": {
       "inputs": {
-        "systems": "systems_7"
+        "systems": "systems_8"
       },
       "locked": {
         "lastModified": 1694529238,
@@ -848,6 +880,21 @@
         "type": "github"
       }
     },
+    "nixpkgs-24_05": {
+      "locked": {
+        "lastModified": 1717144377,
+        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-24.05",
+        "type": "indirect"
+      }
+    },
     "nixpkgs-latest-factorio": {
       "locked": {
         "lastModified": 1731242709,
@@ -1005,6 +1052,21 @@
       }
     },
     "nixpkgs_7": {
+      "locked": {
+        "lastModified": 1717602782,
+        "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_8": {
       "locked": {
         "lastModified": 1731763621,
         "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
@@ -1020,7 +1082,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_8": {
+    "nixpkgs_9": {
       "locked": {
         "lastModified": 1731319897,
         "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=",
@@ -1109,6 +1171,7 @@
         "nixpkgs-master": "nixpkgs-master",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "raspberry-pi-nix": "raspberry-pi-nix",
+        "simple-nixos-mailserver": "simple-nixos-mailserver",
         "snowfall-flake": "snowfall-flake",
         "snowfall-lib": "snowfall-lib_2",
         "sops-nix": "sops-nix",
@@ -1255,9 +1318,32 @@
         "type": "github"
       }
     },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat_3",
+        "nixpkgs": "nixpkgs_7",
+        "nixpkgs-24_05": "nixpkgs-24_05",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1718084203,
+        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-24.05",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
     "snowfall-flake": {
       "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_4",
         "nixpkgs": [
           "nixpkgs-unstable"
         ],
@@ -1279,7 +1365,7 @@
     },
     "snowfall-lib": {
       "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_5",
         "flake-utils-plus": "flake-utils-plus",
         "nixpkgs": [
           "snowfall-flake",
@@ -1303,7 +1389,7 @@
     },
     "snowfall-lib_2": {
       "inputs": {
-        "flake-compat": "flake-compat_5",
+        "flake-compat": "flake-compat_6",
         "flake-utils-plus": "flake-utils-plus_2",
         "nixpkgs": [
           "nixpkgs"
@@ -1325,7 +1411,7 @@
     },
     "sops-nix": {
       "inputs": {
-        "nixpkgs": "nixpkgs_7"
+        "nixpkgs": "nixpkgs_8"
       },
       "locked": {
         "lastModified": 1731862312,
@@ -1446,6 +1532,21 @@
         "type": "github"
       }
     },
+    "systems_8": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "u-boot-src": {
       "flake": false,
       "locked": {
@@ -1459,6 +1560,24 @@
         "url": "https://ftp.denx.de/pub/u-boot/u-boot-2024.07.tar.bz2"
       }
     },
+    "utils": {
+      "inputs": {
+        "systems": "systems_7"
+      },
+      "locked": {
+        "lastModified": 1709126324,
+        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "xdph": {
       "inputs": {
         "hyprland-protocols": [
@@ -1502,7 +1621,7 @@
     },
     "zen-browser": {
       "inputs": {
-        "nixpkgs": "nixpkgs_8"
+        "nixpkgs": "nixpkgs_9"
       },
       "locked": {
         "lastModified": 1731689537,

flake.nix

@@ -83,6 +83,8 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
+
     ################
     ## inputs for dev shells
 
@@ -134,6 +136,10 @@
         raspberry-pi-nix.nixosModules.sd-image
       ];
 
+      systems.hosts.loptland.modules = with inputs; [
+        simple-nixos-mailserver.nixosModules.default
+      ];
+
       systems.hosts.wsl.modules = with inputs; [ nixos-wsl.nixosModules.default ];
     }
     // {

secrets/secrets-loptland.yaml

@@ -5,6 +5,9 @@ factorio:
 forgejo:
     db:
         password: ENC[AES256_GCM,data:CicLsCG2WCtiKMcz3DF5eVVaT8A=,iv:SPO1H4AZwo5FjJWkf1OS7aPOrpTGxqsAj4q3cuuWAbA=,tag:0snK8RyAd8heNvui2sbSNw==,type:str]
+    mail:
+        password: ENC[AES256_GCM,data:XgQZM0MBUEELyhH7UvyyMEiUABs=,iv:m3Wzs2SAPQ2w6UC02lpTvwd83Dt0LEzqdIj65HeOrbU=,tag:3cr5dnjeyoJ4ze9RFd9K5g==,type:str]
+        passwordHash: ENC[AES256_GCM,data:hHGJBUEtCi/gErZ5vm0gsEFqyIDNkED4scR4NAOSzbiiZAYTMg++yqf3hfjjwWV3wTPswNpzzw+gYKEH,iv:wDM5IOOamopFpMEkUit4y7LBZi8CJff3+Tc08lK4IXI=,tag:FaaaohtA+vBFwjDugoemQw==,type:str]
 netcup:
     customer_number: ENC[AES256_GCM,data:9+QboNg1,iv:Tg9ylJUM8L/kzqFmk2uIsD9noqnp5wIxr5GVXMsZwB8=,tag:2qRggSIkPHuCQYDWCfka5Q==,type:str]
     api:
@@ -34,8 +37,8 @@ sops:
             UllqSDR1YWl6aU1jSnY2WE9oczg5Q28KfN15tFxXHrJmOHySK+cyLi2bFqArg244
             bNTYyuBUtBW1Y/EuNpbyLjSNQpKZWFz7grE64uxrNQHP865N3wv0gg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-12T14:29:12Z"
+    lastmodified: "2024-12-03T13:46:57Z"
-    mac: ENC[AES256_GCM,data:lKx1qAe689wkWkrMRvqHpE0zmv+ShLwpApBw2C4+JEuuHnoN1W7aoB/GQRkWzmImCCy9odzM2yoUa0mJogl0i+bddblrl+ZS0uPmPQrm3pM0sl876pelogxKuNpQWS8PRNDe24z3m06f0TozhfPF9D2ywH30tFH8naZONfWTTUU=,iv:tDhJVlWnTHnjZak32pgnUZ8XtM6TK9o2gZ0X3tcQD4Q=,tag:PcMS/5DpEkDkk+U0GG918w==,type:str]
+    mac: ENC[AES256_GCM,data:5o/0aL6x4Kc+IwKL4sIZ4gyG4IXZqvL6TqZFnp3GNGjazRyUKvEbTbKTj96C7W1ci+JUv73mO/0IGjPxY/Bbsv06clKxSX40XbSvWVxSOfQp1qfiQaDxswcF+7yw5vA6wsOfZnYCWeyzJHuBD8OvTE+xXE8bNil5q2ZY5OXX7nk=,iv:aR7um7d9fjJxetxj8a0LrK9zs8tAWiSvKMenYBCMWpc=,tag:Zvj+ZiM5uV5HFVwu6ZAd2A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1

systems/x86_64-linux/loptland/default.nix

@@ -26,6 +26,12 @@ in
       "forgejo/db/password" = {
         inherit sopsFile;
       };
+      "forgejo/mail/password" = {
+        inherit sopsFile;
+      };
+      "forgejo/mail/passwordHash" = {
+        inherit sopsFile;
+      };
     };
   };
 
@@ -83,13 +89,33 @@ in
 
       mailer = {
         ENABLED = true;
-        PROTOCOL = "sendmail";
+        PROTOCOL = "smtps";
         FROM = "no-reply@${domainName}";
-        SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
+        SMTP_ADDR = "mail.${domainName}";
+        USER = "forgejo@${domainName}";
       };
 
       service.DISABLE_REGISTRATION = true;
     };
+
+    secrets = {
+      mailer.PASSWD = config.sops.secrets."forgejo/mail/password".path;
+    };
+  };
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.${domainName}";
+    domains = [ domainName ];
+
+    loginAccounts = {
+      "forgejo@${domainName}" = {
+        hashedPasswordFile = config.sops.secrets."forgejo/mail/passwordHash".path;
+        aliases = [ "no-reply@${domainName}" ];
+      };
+    };
+
+    certificateScheme = "acme-nginx";
   };
 
   networking.firewall.allowedTCPPorts = [