11 files changed, 229 insertions, 15 deletions

diff --git a/.sops.yaml b/.sops.yaml
index dcc4cf5..1d68f48 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -6,6 +6,7 @@ creation_rules:
     key_groups:
     - age:
       - *ivi
+      - *serber
   - path_regex: secrets/lemptop/[^/]+\.?(yaml|json|env|ini)?$
     key_groups:
     - age:
diff --git a/flake.lock b/flake.lock
index 9e98db8..b697b13 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,21 @@
 {
   "nodes": {
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "deploy-rs": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -36,6 +52,22 @@
         "type": "github"
       }
     },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1668681692,
+        "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "009399224d5e398d03b22badca40a37ac85412a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -72,6 +104,36 @@
         "type": "github"
       }
     },
+    "nixpkgs-22_11": {
+      "locked": {
+        "lastModified": 1669558522,
+        "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-22.11",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-23_05": {
+      "locked": {
+        "lastModified": 1684782344,
+        "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-23.05",
+        "type": "indirect"
+      }
+    },
     "nixpkgs-stable": {
       "locked": {
         "lastModified": 1696717752,
@@ -106,6 +168,21 @@
     },
     "nixpkgs_3": {
       "locked": {
+        "lastModified": 1670751203,
+        "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
         "lastModified": 1696693680,
         "narHash": "sha256-PH0HQTkqyj7DmdPKPwrrXwVURLBqzZs4nqnDw9q8mhg=",
         "owner": "NixOS",
@@ -125,12 +202,37 @@
         "deploy-rs": "deploy-rs",
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs_2",
+        "simple-nixos-mailserver": "simple-nixos-mailserver",
         "sops-nix": "sops-nix"
       }
     },
-    "sops-nix": {
+    "simple-nixos-mailserver": {
       "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat_2",
         "nixpkgs": "nixpkgs_3",
+        "nixpkgs-22_11": "nixpkgs-22_11",
+        "nixpkgs-23_05": "nixpkgs-23_05",
+        "utils": "utils_2"
+      },
+      "locked": {
+        "lastModified": 1687462267,
+        "narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "24128c3052090311688b09a400aa408ba61c6ee5",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-23.05",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_4",
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
@@ -161,6 +263,21 @@
         "repo": "flake-utils",
         "type": "github"
       }
+    },
+    "utils_2": {
+      "locked": {
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index ae1a82a..9e074d0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -9,6 +9,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     deploy-rs.url = "github:serokell/deploy-rs";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
   };
 
   outputs = inputs@{
diff --git a/lib/ivi.nix b/lib/ivi.nix
index 2d2d881..d4488d4 100644
--- a/lib/ivi.nix
+++ b/lib/ivi.nix
@@ -55,7 +55,7 @@ self: lib: with lib; let
         githubUsername = "ivi-vink";
         realName = "Mike Vink";
         domain = "vinkland.xyz";
-        email = "mike1994vink@gmail.com";
+        email = "ivi@vinkland.xyz";
         sshKeys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMT59Kbv+rO0PvB1q5u3l9wdUgsKT0M8vQ7WHnjq+kYN ${ivi.email}"
           "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDqsfYS7sOLfLWvGTmxT2QYGkbXJ5kREFl42n3jtte5sLps76KECgKqEjA4OLhNZ51lKFBDzcn1QOUl3RN4+qHsBtkr+02a7hhf1bBLeb1sx6+FVXdsarln5lUF/NMcpj6stUi8mqY4aQ21jQKxZsGip9fI8fx3HtXYCVhIarRbshQlwDqTplJBLDtrnmWTprxVnz1xSZRr3euXsIh1FFQZI6klPPBa6qFJtWWtGNBCRr8Sruo6I4on7QjNyW/s1OgiNAR0N2IO9wCdjlXrjNnFEAaMrpDpZde7eULbiFP2pHYVVy/InwNhhePYkeBh/4BzlaUZVv6gXsX7wOC5OyWaXbbMzWEopbnqeXXLwNyOZ88YpN/c+kZk2/1CHl+xmlVGAr9TnZ9VST5Y4ZAEqq8OKoP3ZcchAWxWjzTgPogSfiIAP/n5xrgB+8uRZb/gkN+I7RTQKGrS2Ex7gfkj39beDeevQj3XVQ1U2kp3n+jUBHItCCpZyHISgTYW2Ct6lrziJpD0kPlAOrN3BGQtkStHYK+4EE1PrrwWGkG7Ue+tlETe8FTg+AMv1VjLV9b3pHZJCrao5/cY2MxkfGzf4HTfeueqSLSsrYuiogHAPvvzfvOV5un+dWX8HyeBjmKTBwDBFuhdca/wzk0ArHSgEYUmh2NXj/G4gaSF3EX5ZSxmMQ== ${ivi.email}"
@@ -73,6 +73,7 @@ self: lib: with lib; let
             isDeployed = true;
             profiles = [
               "core"
+              "server"
             ];
           };
         };
diff --git a/machines/serber.nix b/machines/serber.nix
index 09208ee..cf772ca 100644
--- a/machines/serber.nix
+++ b/machines/serber.nix
@@ -41,16 +41,4 @@
   networking.domain = "xyz";
   services.openssh.enable = true;
 
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"];
-      email = ivi.email;
-      dnsProvider = "porkbun";
-      credentialsFile = config.secrets.porkbun.path;
-    };
-    certs = {
-      "vinkland.xyz" = { };
-    };
-  };
 }
diff --git a/profiles/core/configuration.nix b/profiles/core/configuration.nix
index 2849800..1fcb139 100644
--- a/profiles/core/configuration.nix
+++ b/profiles/core/configuration.nix
@@ -16,7 +16,7 @@
         openssh.authorizedKeys.keys = ivi.sshKeys;
       };
       root = {
-        passwordFile = secrets.password.path;
+        hashedPasswordFile = config.secrets.root.path;
         openssh.authorizedKeys.keys = config.ivi.openssh.authorizedKeys.keys;
       };
   };
diff --git a/profiles/server/acme.nix b/profiles/server/acme.nix
new file mode 100644
index 0000000..c0d7306
--- /dev/null
+++ b/profiles/server/acme.nix
@@ -0,0 +1,11 @@
+{ config, ... }: {
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"];
+      email = ivi.email;
+      dnsProvider = "porkbun";
+      credentialsFile = config.secrets.porkbun.path;
+    };
+  };
+}
diff --git a/profiles/server/mail.nix b/profiles/server/mail.nix
new file mode 100644
index 0000000..c6837ef
--- /dev/null
+++ b/profiles/server/mail.nix
@@ -0,0 +1,24 @@
+{ inputs, config, lib, ... }: with lib; {
+  imports = [
+    inputs.simple-nixos-mailserver.nixosModule
+  ];
+  mailserver = {
+    enable = true;
+    enableImap = false;
+    enableSubmission = true;
+    enableImapSsl = true;
+    enableSubmissionSsl = true;
+
+    fqdn = ivi.domain;
+    domains = [ ivi.domain ];
+    loginAccounts = {
+        ${ivi.email} = {
+            hashedPasswordFile = config.secrets.ivi.path;
+            aliases = [ "@${ivi.domain}" ];
+        };
+    };
+    certificateScheme = "acme";
+
+    lmtpSaveToDetailMailbox = "no";
+  };
+}
diff --git a/profiles/server/nginx.nix b/profiles/server/nginx.nix
new file mode 100644
index 0000000..526a8e7
--- /dev/null
+++ b/profiles/server/nginx.nix
@@ -0,0 +1,16 @@
+{ inputs, lib, ... }: with lib; {
+  # apparently you can set defaults on existing modules?
+  options.services.nginx.virtualHosts = mkOption {
+    type = types.attrsOf (types.submodule ({ name, ... }: {
+      config = mkIf (name != "default") {
+        forceSSL = mkDefault true;
+        enableACME = mkDefault true;
+      };
+    }));
+  };
+  config = {
+      services.nginx = {
+          enable = true;
+      };
+  };
+}
diff --git a/secrets/root.yaml b/secrets/root.yaml
new file mode 100644
index 0000000..d708ac8
--- /dev/null
+++ b/secrets/root.yaml
@@ -0,0 +1,31 @@
+serber: ENC[AES256_GCM,data:YJLm1K1eW7QPFN5t3j1ni+J5m9hZemDBMHy/1X8CcMfoMPn/OJDpN4Hyz0CvdblxDNrHHCYGhDPJjZIt,iv:5j1/9sthguwv7a6JD/7OwbKB+jaj+E+ezA0/TiHHsSw=,tag:x690F9djFbnvtGbXeOFytQ==,type:str]
+lemptop: ENC[AES256_GCM,data:Ga7/9T9r2yPui30iGDN0XJ8kGYkBz4AILHMHpTo0kuT2DQiMoW0cVypABZK84hnVZcooATWpNHNoiFGs,iv:YcZEmRGeHg6RZmPpJueLlf2VznAenP5e40D7DHsKiOc=,tag:I57ssbo2CBIGLfnLlG25Ig==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10q9wse8dh0749ffj576q775q496pycucxlla9rjdq5rd7f4csyhqqrmkk0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYd1p1c3B2aVZTOS85em9q
+            TmxSemF3SUV1d2g4U0JzakdFZ1NHL09DZlh3ClpFbm1vNTBiRzF0dm9ZSVRYdXlE
+            M0VlZEMzS1B6b0ZhOFFHV3dkYXBPMmMKLS0tIHFNY0JVNnZSQ205RHFldTFDYjl0
+            cWJqempFUmczdXYvR3ZHUWVncjhKWUkKu/iUfUPhX/aUF7vgSv854B9rLW8PBw09
+            ZltQOfC8WeNENIdeSeZA7WyjJlqVyGosfGHHbW0f5XCcIvqVTkJDOw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vvr5amtuf7cyhsmc8ge8ujlzpuwvwhleqafrjg2e8mcevnq2zs3qzzqq5m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzL0pIZllnWXJqdDNUbDlq
+            NWJqcmdHNWUySm1pRDJGNDhiSVN1WjRON0I4CktibnNJQ3ZaUW5jVnlkZG9kMEYr
+            NWRkYXlaWkJRckJvMGlRRTYvSmZzaGcKLS0tIEFpY0VJVkFpcGRTK3JpV2lNSkdr
+            K0FPbllRQTMzR3pSSFVzTCtxeVJ0NFUKr6T8u0oSunUM6RuAd1J5KWqP4xW39e8T
+            uUzgaPM2pSnAC402o/uyCMuybpO+30YWQ+h0Pp44JPIpnTc+6HfIwg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-19T19:56:05Z"
+    mac: ENC[AES256_GCM,data:7baNI4pP8p2yW+FtvN9XVp3qmj3bgFzwLHYCSA7MzEOIG1hZu66+NUhktGHMfKv8bbpP5KcKckcK4BlDdmjPl24LJPkaKUoE1xGgTmv5gKIfB+oTtGHgkwGs72A7VY2DawORrBfS6vKEVu72p//9XRiOlOCuMZqnXIwQZcQLWsw=,iv:xlQ7Ganm/XV18gNJjNao8OxeUmN70EyNZpmeo6RCfts=,tag:UrIl7XpxiePpvn7CqA47Zg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.0
diff --git a/secrets/serber/ivi b/secrets/serber/ivi
new file mode 100644
index 0000000..439c58f
--- /dev/null
+++ b/secrets/serber/ivi
@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:/NAB+9AtvXxWu3Rsf6zWWCS2HyO3XK7moOPhtrr28E7WVwTO/UCI1yuBqYg3REbH0onWZraZ1jp1Tp2dUw==,iv:Mt6hIoCqQWrbmwOSdFxhjjk+OVY4P9wkwXoNnF0mOQY=,tag:skPV7thTBk7YAarL5fvCXg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1vvr5amtuf7cyhsmc8ge8ujlzpuwvwhleqafrjg2e8mcevnq2zs3qzzqq5m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvVnUwV2lTUVFtaDhUR29C\nNVUwR1pNUytpNWplQWRCcytTQ0VRSXZ2b0c4CmdadXUvMTJzNXdEUmpiS1JvUFUv\nZWswWGR3cjJ2VENoLzRObkJ0bUxlemsKLS0tIFkzcEZpbEFUOTQzUHhQS1BTYk55\nUXRlOHJYcXAwUVZiOWVpS2tUYTkwcWcKCTrFi+TW9Xmcntzu2Jw2IdxxO4DxdJ2D\nntBIGeaiQR4Q2fn0hHdn7DZPJuPy4sNNIoOtpK5a7eZye/zDbQqCEA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age10q9wse8dh0749ffj576q775q496pycucxlla9rjdq5rd7f4csyhqqrmkk0",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjS20yQ1ZqY0pyN2VweWhl\nYjJqQW8yYVFhS2c1QW1NZ3QvZ3liMVpHRUJnClpPS2FLakhyZ1ZpaDFmdmZpaGZ1\nNlExS3FqVlZWVGNnalY3RDBaclExQTgKLS0tIERQdWFZc1loUjg0MStOVkM0U0oy\nbEYwRStwVGF3azQ0NEpmU0srdElQODgK/wSfMo4OvwyC4QonKP7LNn+c0WGTVLmr\nwBYZkaA41Pom6sZ21u3BpAR4/hfGvsteAoKaNjY9CffDssmfsvAOjw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-10-19T19:27:04Z",
+		"mac": "ENC[AES256_GCM,data:XCZ7NlOGUHO835ETBioMOHoLDS/xWrpu0VXOhp9GuCMXOFiquPM3D/oXK5UeFmLbvOfCTVAXoid2dPAilxeWGaZ+uouBtRWZDRzNuw/lbiBeshf+9wSrU4W59edpDN41l1dB0KNVV0vTI2UVXw9NrRDF1YBJLBwpbsy8UpycZQ8=,iv:dii8q2Tdhj5cUPD0Q2pk+3uXJoWJeOlNnF0QQumfxM8=,tag:Gf8KEorRPAMknglwcdeDyg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.0"
+	}
+}
\ No newline at end of file