+1

hosts/marvin/default.nix

reviewed

··· 20 20 ./services/immich.nix 21 21 ./services/jellyfin.nix 22 22 ./services/matrix.nix 23 23 + ./services/mail-archiver.nix 23 24 ./services/miniflux.nix 24 25 ./services/mysql.nix 25 26 ./services/nextcloud

+134

hosts/marvin/services/mail-archiver.nix

reviewed

··· 1 1 + { 2 2 + config, 3 3 + self', 4 4 + lib, 5 5 + self, 6 6 + ... 7 7 + }: 8 8 + let 9 9 + sec = config.age.secrets; 10 10 + d = self.lib.data.services.mail-vault; 11 11 + 12 12 + settings = { 13 13 + # Each connection string part separately, will get merged with environmentSettings string fixing 14 14 + connectionStrings.defaultConnection = [ 15 15 + "Host=/run/postgresql" 16 16 + "Database=mail-archiver" 17 17 + "Port=5432" 18 18 + ]; 19 19 + dataProtection.keyPath = "/var/lib/mail-archiver/data-protection-keys"; 20 20 + mailSync = { 21 21 + intervalMinutes = 15; 22 22 + timeoutMinutes = 120; 23 23 + connectionTimeoutSeconds = 300; 24 24 + commandTimeoutSeconds = 600; 25 25 + alwaysForceFullSync = false; 26 26 + ignoreSelfSignedCert = false; 27 27 + }; 28 28 + authentication = { 29 29 + username = "admin"; 30 30 + cookieSameSite = "Lax"; 31 31 + }; 32 32 + databaseMaintenance = { 33 33 + enabled = true; 34 34 + dailyExecutionTime = "04:00"; 35 35 + timeoutMinutes = 30; 36 36 + }; 37 37 + timeZone.displayTimeZoneId = "America/New_York"; 38 38 + allowedHosts = [ 39 39 + "mail-vault.pyrox.dev" 40 40 + ]; 41 41 + 42 42 + oAuth = { 43 43 + enabled = true; 44 44 + autoApproveUsers = true; 45 45 + autoRedirect = false; 46 46 + authority = "https://auth.pyrox.dev"; 47 47 + clientId = "3ef0f2d5-68e9-4769-a163-b2774f92b40c"; 48 48 + adminEmails = { 49 49 + "0" = "pyrox@pyrox.dev"; 50 50 + }; 51 51 + disablePasswordLogin = false; 52 52 + }; 53 53 + }; 54 54 + 55 55 + environmentSettings = lib.pipe settings [ 56 56 + (lib.mapAttrsRecursive ( 57 57 + path: value: 58 58 + lib.optionalAttrs (value != null) { 59 59 + name = self.lib.toPascalCase "${lib.concatStringsSep "__" path}"; 60 60 + value = 61 61 + if lib.isList value then 62 62 + builtins.concatStringsSep ";" value 63 63 + else 64 64 + (toString (if lib.isBool value then lib.boolToString value else value)); 65 65 + } 66 66 + )) 67 67 + (lib.collect (x: lib.isString x.name or false && lib.isString x.value or false)) 68 68 + lib.listToAttrs 69 69 + ]; 70 70 + in 71 71 + { 72 72 + systemd.services.mail-archiver = { 73 73 + description = "Mail Archiver Service"; 74 74 + documentation = [ "https://github.com/s1t5/mail-archiver/blob/main/doc/Index.md" ]; 75 75 + after = [ "postgresql.target" ]; 76 76 + wantedBy = [ "multi-user.target" ]; 77 77 + 78 78 + environment = { 79 79 + ASPNETCORE_URLS = "http://+:${toString d.port}"; 80 80 + ASPNETCORE_ENVIRONMENT = "Production"; 81 81 + ASPNETCORE_WEBROOT = "${self'.packages.mail-archiver}/lib/mail-archiver/wwwroot"; 82 82 + } 83 83 + // environmentSettings; 84 84 + 85 85 + serviceConfig = { 86 86 + User = "mail-archiver"; 87 87 + Group = "mail-archiver"; 88 88 + StateDirectory = "mail-archiver"; 89 89 + ExecStart = lib.getExe self'.packages.mail-archiver; 90 90 + WorkingDirectory = "/var/lib/mail-archiver"; 91 91 + EnvironmentFile = [ sec.mail-archiver-secrets.path ]; 92 92 + 93 93 + # Hardening 94 94 + PrivateDevices = true; 95 95 + PrivateTmp = true; 96 96 + ProtectClock = true; 97 97 + ProtectControlGroups = true; 98 98 + ProtectHome = true; 99 99 + ProtectHostname = true; 100 100 + ProtectKernelLogs = true; 101 101 + ProtectKernelModules = true; 102 102 + ProtectKernelTunables = true; 103 103 + ProtectProc = "invisible"; 104 104 + ProtectSystem = true; 105 105 + RestrictNamespaces = true; 106 106 + RestrictRealtime = true; 107 107 + RestrictSUIDGUID = true; 108 108 + }; 109 109 + }; 110 110 + 111 111 + # User and Group 112 112 + users.users.mail-archiver = { 113 113 + isSystemUser = true; 114 114 + group = "mail-archiver"; 115 115 + }; 116 116 + users.groups.mail-archiver = { }; 117 117 + 118 118 + # Postgres setup 119 119 + services.postgresql = { 120 120 + ensureDatabases = [ "mail-archiver" ]; 121 121 + ensureUsers = [ 122 122 + { 123 123 + name = "mail-archiver"; 124 124 + ensureDBOwnership = true; 125 125 + } 126 126 + ]; 127 127 + }; 128 128 + 129 129 + age.secrets.mail-archiver-secrets = { 130 130 + file = ./secrets/mail-archiver-secrets.age; 131 131 + owner = "mail-archiver"; 132 132 + group = "mail-archiver"; 133 133 + }; 134 134 + }

hosts/marvin/services/secrets/mail-archiver-secrets.age

reviewed

This is a binary file and will not be displayed.

+1

hosts/marvin/services/secrets/secrets.nix

reviewed

··· 33 33 "immich/oauth-secret.age".publicKeys = marvinDefault; 34 34 "immich/mail-pw.age".publicKeys = marvinDefault; 35 35 "jellyfin-exporter-config.age".publicKeys = marvinDefault; 36 36 + "mail-archiver-secrets.age".publicKeys = marvinDefault; 36 37 "minio-root.age".publicKeys = marvinDefault; 37 38 "miniflux-admin.age".publicKeys = marvinDefault; 38 39 "../nextcloud/nextcloud-admin-pw.age".publicKeys = marvinDefault;