Move kas.codes over to using mx.kaareskovgaard.net

2025-08-01 02:04:06 +02:00 · 2025-08-01 02:04:06 +02:00 · 1f88fa3c49
commit 1f88fa3c49
parent 6ac55b7e44
9 changed files with 68 additions and 126 deletions
--- a/nix/modules/nixos/services/nginx/default.nix
+++ b/nix/modules/nixos/services/nginx/default.nix
@ -226,7 +226,7 @@ in
      serviceConfig = {
        ExecStartPre = [
          ''${pkgs.uutils-coreutils-noprefix}/bin/touch /var/log/nginx/access.fail2ban.log''
-          ''${pkgs.uutils-coreutils-noprefix}/bin/chmod 064 /var/log/nginx/access.fail2ban.log''
+          ''${pkgs.uutils-coreutils-noprefix}/bin/chmod 0640 /var/log/nginx/access.fail2ban.log''
        ];
      };
    };
@ -352,7 +352,8 @@ in
            "=/robots.txt" = {
              alias = value.robotsTxt;
            };
-          } // value.locations;
+          }
+          // value.locations;
          forceSSL = true;
          enableACME = value.acme == null && !dns01Enabled;
          useACMEHost =
--- a/nix/systems/aarch64-linux/kas.codes/default.nix
+++ b/nix/systems/aarch64-linux/kas.codes/default.nix
@ -5,7 +5,6 @@
 {
  imports = [
    "${inputs.self}/nix/profiles/nixos/hetzner-server.nix"
-    ./mailserver
    ./forgejo
  ];
  khscodes.infrastructure.hetzner-instance = {
--- a/nix/systems/aarch64-linux/kas.codes/forgejo/default.nix
+++ b/nix/systems/aarch64-linux/kas.codes/forgejo/default.nix
@ -40,28 +40,10 @@ let
  '';
 in
 {
-  imports = [ ./oauth.nix ];
-  khscodes.services.vault-agent.templates = [
-    {
-      contents = ''
-        {{- with secret "forgejo/data/mailserver/users/forgejo" -}}
-        {{ .Data.data.password }}
-        {{- end -}}
-      '';
-      destination = "/var/lib/vault-agent/forgejo/mailserver/forgejo.passwd";
-      perms = "0600";
-      owner = "git";
-      group = "git";
-      restartUnits = [
-        "forgejo.service"
+  imports = [
+    ./oauth.nix
+    ./smtp.nix
  ];
-    }
-  ];
-  systemd.services.forgejo = {
-    unitConfig = {
-      ConditionPathExists = [ "/var/lib/vault-agent/forgejo/mailserver/forgejo.passwd" ];
-    };
-  };
  services.forgejo = {
    enable = true;
    user = "git";
@ -87,12 +69,6 @@ in
      repository = {
        DEFAULT_REPO_UNITS = "repo.code,repo.releases,repo.issues,repo.packages,repo.actions";
      };
-      mailer = {
-        ENABLED = true;
-        SMTP_ADDR = "kas.codes";
-        FROM = "forgejo@kas.codes";
-        USER = "forgejo@kas.codes";
-      };
      "ui.meta" = {
        AUTHOR = "Kaare Hoff Skovgaard <kaare@kaareskovgaard.net>";
        DESCRIPTION = "A self-hosted software forge for KAS/KHS";
@ -108,7 +84,6 @@ in
        REGISTER_EMAIL_CONFIRM = false;
      };
    };
-    secrets.mailer.PASSWD = "/var/lib/vault-agent/forgejo/mailserver/forgejo.passwd";
    lfs = {
      enable = true;
    };
--- a/nix/systems/aarch64-linux/kas.codes/forgejo/smtp.nix
+++ b/nix/systems/aarch64-linux/kas.codes/forgejo/smtp.nix
@ -0,0 +1,54 @@
+let
+  secretFile = "/run/secret/mx.kaareskovgaard.net/forgejo.passwd";
+in
+{
+  khscodes.infrastructure.vault-server-approle.policy = {
+    "mx.kaareskovgaard.net/data/users/forgejo" = {
+      capabilities = [ "read" ];
+    };
+  };
+  khscodes.services.vault-agent.templates = [
+    {
+      contents = ''
+        {{- with secret "mx.kaareskovgaard.net/data/users/forgejo" -}}
+        {{ .Data.data.password }}
+        {{- end -}}
+      '';
+      destination = secretFile;
+      perms = "0600";
+      owner = "git";
+      group = "git";
+      restartUnits = [
+        "forgejo.service"
+      ];
+    }
+  ];
+  khscodes.infrastructure.hetzner-instance.extraFirewallRules = [
+    {
+      direction = "out";
+      protocol = "tcp";
+      port = 465;
+      destination_ips = [
+        "0.0.0.0/0"
+        "::/0"
+      ];
+      description = "smtp";
+    }
+  ];
+  services.forgejo = {
+    settings.mailer = {
+      ENABLED = true;
+      SMTP_ADDR = "mx.kaareskovgaard.net";
+      SMTP_PORT = 465;
+      PROTOCOL = "smtps";
+      FROM = "git@kas.codes";
+      USER = "forgejo";
+    };
+    secrets.mailer.PASSWD = secretFile;
+  };
+  systemd.services.forgejo = {
+    unitConfig = {
+      ConditionPathExists = [ secretFile ];
+    };
+  };
+}
--- a/nix/systems/aarch64-linux/kas.codes/mailserver/default.nix
+++ b/nix/systems/aarch64-linux/kas.codes/mailserver/default.nix
@ -1,39 +0,0 @@
-{ ... }:
-{
-  imports = [
-    ./forgejo-user.nix
-  ];
-  khscodes.infrastructure.provisioning.pre.modules = [
-    {
-      khscodes.vault = {
-        enable = true;
-        mount.forgejo = {
-          path = "forgejo";
-          type = "kv";
-          options = {
-            version = "2";
-          };
-          description = "Secrets used for forgejo";
-        };
-      };
-    }
-  ];
-  khscodes.infrastructure.mailserver = {
-    enable = true;
-    domains = [ "kas.codes" ];
-    dkim = {
-      vault = {
-        mount = "forgejo";
-        prefixPath = "mailserver/dkim";
-      };
-    };
-  };
-  mailserver = {
-    loginAccounts = {
-      "forgejo@kas.codes" = {
-        hashedPasswordFile = "/var/lib/vault-agent/mailserver/users/forgejo.passwd.hash";
-        sendOnly = true;
-      };
-    };
-  };
-}
--- a/nix/systems/aarch64-linux/kas.codes/mailserver/forgejo-user.nix
+++ b/nix/systems/aarch64-linux/kas.codes/mailserver/forgejo-user.nix
@ -1,55 +0,0 @@
-{
-  khscodes.infrastructure.vault-server-approle.policy = {
-    "forgejo/data/mailserver/users/*" = {
-      capabilities = [ "read" ];
-    };
-  };
-  khscodes.services.vault-agent.templates = [
-    {
-      contents = ''
-        {{- with secret "forgejo/data/mailserver/users/forgejo" -}}
-        {{ .Data.data.hashed_password }}
-        {{- end -}}
-      '';
-      destination = "/var/lib/vault-agent/mailserver/users/forgejo.passwd.hash";
-      perms = "0600";
-      owner = "rspamd";
-      group = "rspamd";
-      restartUnits = [
-        "rspamd.service"
-        "postfix.service"
-      ];
-    }
-  ];
-  khscodes.infrastructure.provisioning.pre.modules = [
-    (
-      { config, ... }:
-      {
-        terraform.required_providers.random = {
-          source = "hashicorp/random";
-          version = "3.7.2";
-        };
-        provider.random = { };
-
-        resource.random_password.forgejo_mail_passwd = {
-          length = 48;
-          numeric = true;
-          lower = true;
-          upper = true;
-          special = false;
-        };
-
-        resource.vault_kv_secret_v2.forgejo_email_user_password = {
-          mount = config.khscodes.vault.output.mount.forgejo.path;
-          name = "mailserver/users/forgejo";
-          data_json = ''
-            {
-              "hashed_password": ''${ jsonencode(resource.random_password.forgejo_mail_passwd.bcrypt_hash) },
-              "password": ''${ jsonencode(resource.random_password.forgejo_mail_passwd.result) }
-            }
-          '';
-        };
-      }
-    )
-  ];
-}
--- a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix
+++ b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/default.nix
@ -41,6 +41,7 @@
        "agerlinskovgaard.dk"
        "k.agerlin-skovgaard.dk"
        "k.agerlinskovgaard.dk"
+        "kas.codes"
      ];
      accounts = import ./users.nix;
    };
--- a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/mailserver/accounts.nix
+++ b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/mailserver/accounts.nix
@ -134,7 +134,7 @@ let
    lib.concatStringsSep "\n" (
      lib.lists.map (account: ''
        {{- with secret "mx.kaareskovgaard.net/data/users/${account}" -}}
-        "${account}:{{ .Data.data.hashed_password }}::::::"
+        ${account}:{{ .Data.data.hashed_password }}::::::
        {{- end -}}
      '') systemAccounts
    )
@ -205,6 +205,7 @@ in
      let
        tfName = lib.khscodes.sanitize-terraform-name account;
      in
+      { config, ... }:
      {
        resource.random_password."${tfName}" = {
          length = 48;
--- a/nix/systems/aarch64-linux/mx.kaareskovgaard.net/users.nix
+++ b/nix/systems/aarch64-linux/mx.kaareskovgaard.net/users.nix
@ -10,4 +10,9 @@
    ];
    quota = "10G";
  };
+  "forgejo" = {
+    name = "KAS: Codes";
+    addresses = [ "git@kas.codes" ];
+    sendOnly = true;
+  };
 }