diff --git a/.sops.yaml b/.sops.yaml index 406e0245..8f15a7d9 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -16,6 +16,7 @@ keys: - &keycloak_osh age1ktmx2szedfnpe5xumnzs8vkk0ffqgga6ved3drtksg9pye6ndsnsnqq488 - &kasen_osh age1fjcafp0j45sz03zq5srnxyq2mujndmn25vceg3wj2cgzymqm73ssmhdgku - &logistics_osh age1tkkau8vk5h9dh3kemash4eghn7lk84j0hhpmvvf7j6phgcsm9vmsphv0py +- &mail_osh age1nxgmdahcjhmtrf7q66jep55cjdcw6tfpw722jr4gytaykgf89ugqxufgyd - &kuwubernetes_osh age1q2yjpxlqkfhsfxumtmax6zsyt669vlr9ffjks3dpkjf3cqdakcwqt2nt66 - &kuwubernetes_cluster age1nmdv4q8hcyj3s6qevrmc9w2vhd4a8tsj5j5e0cry5utex7vqeprslyjvxz #- &sakuya_osh age1ehdj6hghtr8sf5s5c03rru4y3a02nwrt694e36tjnd6g7eq4l43qfradn6 @@ -116,6 +117,12 @@ creation_rules: - pgp: *pgp_common age: - *litterbox2_osh +- path_regex: 'systems/mail/secrets\.yaml$' + shamir_threshold: 1 + key_groups: + - pgp: *pgp_common + age: + - *mail_osh - path_regex: 'systems/minecraft/secrets\.yaml$' shamir_threshold: 1 key_groups: diff --git a/modules/system/access.nix b/modules/system/access.nix index ab26a177..f2d2cede 100644 --- a/modules/system/access.nix +++ b/modules/system/access.nix @@ -49,7 +49,7 @@ mkGetAddressFor = nameAllowed: addressForAttr: hostName: network: let forSystem = access.systemFor hostName; forSystemHas = network: forSystem.access ? ${addressForAttr}.${network} || forSystem.access ? address4ForNetwork.${network}; - err = throw "no interface found between ${config.networking.hostName} -> ${hostName}@${network}"; + err = throw "no interface found between ${config.networking.hostName} -> ${hostName}@${network} OR disable promtail and prometheus-node-exporter services"; fallback = if nameAllowed then lib.warn "getAddressFor hostname fallback for ${config.networking.hostName} -> ${hostName}@${network}" (access.getHostnameFor hostName network) diff --git a/systems/mail/default.nix b/systems/mail/default.nix new file mode 100644 index 00000000..dfdcc98d --- /dev/null +++ b/systems/mail/default.nix @@ -0,0 +1,24 @@ +_: { + imports = [ + ]; + arch = "x86_64"; + type = "NixOS"; + ci.allowFailure = true; + access.online.enable = false; + modules = [ + ./nixos.nix + ]; + network.networks = { + tail = { + #address4 = "100.78.97.73"; + #address6 = "fd7a:115c:a1e0::d834:6149"; + }; + }; + exports = { + services = { + promtail.enable = false; + prometheus-exporters-node.enable = false; + tailscale.enable = false; + }; + }; +} diff --git a/systems/mail/nixos.nix b/systems/mail/nixos.nix new file mode 100644 index 00000000..ae4f7cb9 --- /dev/null +++ b/systems/mail/nixos.nix @@ -0,0 +1,21 @@ +{meta, ...}: { + imports = let + inherit (meta) nixos; + in [ + nixos.sops + nixos.ct.meiling + nixos.tailscale + ]; + + services = { + prometheus.exporters.node.enable = false; + promtail.enable = false; + }; + + sops = { + defaultSopsFile = ./secrets.yaml; + secrets.tailscale-key.key = "tailscale-key"; + }; + + system.stateVersion = "23.11"; +} diff --git a/systems/mail/secrets.yaml b/systems/mail/secrets.yaml new file mode 100644 index 00000000..4bb33210 --- /dev/null +++ b/systems/mail/secrets.yaml @@ -0,0 +1,53 @@ +tailscale-key: ENC[AES256_GCM,data:cMMm0Ml3k4nKTo5zmK/2jE6x3u6yr5QMR7hPOyT5TfHE5mBK94IldWgSANInyRFMMu+BK8krqjQo/zZO1w==,iv:DvuM0WgpSG/JZR66P/oScfwdVOcb3/MqcBXtrVp82jg=,tag:X8ViyuYcws3luqnKdqZOHQ==,type:str] +sops: + shamir_threshold: 1 + age: + - recipient: age1nxgmdahcjhmtrf7q66jep55cjdcw6tfpw722jr4gytaykgf89ugqxufgyd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLdzJoWkVaS0tRY09lSC9U + cFBzeFFZVHgzNXhjK3plU0lmaWFBR3dJMFFnCmZhM0RGQ3dVdTVBS2NmeHpPNjlQ + MTd6UUtRQjQ4eWxIb2RkRXJXK29zcjAKLS0tIDRlM1hpMGgwL0E4aFVKZ2o5bXlz + ODhPcHAzODQzU2xReEdrZGhlL3B0OTgKunVH5uufWivBmKOzjfa3e1QoBmbI7Gez + OMe1ROXX/y602d4NuYh7SItX+fJj7tWYHYqos/bckwAwvKNC6zchQg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-11-16T05:04:17Z" + mac: ENC[AES256_GCM,data:NO+2WlrJibhP3FVJ8wQvilnb0FfUcEZv+WTLuxHpibfQxsufSiHtem3zUsfOxaBlSLWtLaavqAwgEMNcJD/Zgr58/DY5qtDpG5Zfnma7wBwqqEwQhDmjipcz08KcYIGlAF/u2ReTZf0oHhBjjGIPJIstIZSWgKzQI7HpT/064/E=,iv:+G5o52+RX57OEBGyp925U0Z7gs9021GEZGNsYYdCU4k=,tag:NiwoNKCgyRN7WmUYgCf1YQ==,type:str] + pgp: + - created_at: "2025-11-16T05:13:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ//dOvbM+VVwxJLG2XbtmtwMMy7FHi9M0xAOx1wiv9UE5Qo + zxw3jfSfH2trf/ODvKy3Rh04KlNfLs6BTODpTcdUjwEEf3su4fLzdxN2E9D/VaM1 + VzwWbAmX+66OidMwwewTqGJWP/8wPL6LkOPYt4HhMUr3Ohw22XFTTfzHyocjXGh/ + YJ4zSPae95p8DoUte7vc3kAmg2ofqA6nTPQOMl4ifQ+351u+L22wlEufV35CycsG + zt3jEKWaX9uo9sp7zAw1vxcNnIOEy9agLSjYvhuU50AGRPtRzVwYNYE4EJYh3iO/ + aAsz6KnhyKHmrY0JQ/uXSMKX7g33m+iqlp1JDuueXGBqdibxvW99uP01Nqb6tdUQ + MxeRKYuLTUnrYHnLDayblK6Z7H9SWcEPuBpgFEC+gmZRsOx6bEIibsyuwLRsWG+M + VcAl9rsQeMhfRGZ3wPV5AeMTmngNqtYGdehYT4OHHNI+McBwh2HbtnhVglarrimH + XAZqjErN16oYaTYRUtxePYnIa5SkNAstUDInW/0qlfEp9xdq/QCeB4MqTYyXIOuT + bFwlI68qm89MMvK/jqYpzyPHwJuv3QRBM20TQKp618y+ESJIwVZwGcMXeq4bDpm8 + oxEOW0QxOvq6jVdYJeCJgzv2pPFlw3N5/xw/OxGFgzHEvSoEhMtkYc0CPPF1IpfS + XgHaeUi/Igbb5DF/fj8bTouM2ZylxOGC0DrJMx3L5z80arWNFHQNORj+NXhhWCyZ + dyHjcbC9zVZiOyj2eDgKxWyDqVtobdc65VVsMAd5cmDdWMh1gYj+JG0Wb0Uur9I= + =tNO1 + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + - created_at: "2025-11-16T05:13:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA2W9MER3HLb7AQf+ILr4cA4jxea27/pLjU9DkFoJat2Mi1oxbf+sM7zm4LWa + DykNDUhgJJdgC/8E0ziWnwnxREUxcxy5nEYwoxq8tGYh/Ct3s6Bnyg1kqCvF5Tvf + 6Uo3znA0endVOOlCNCGT14VnModQhCzyG4gzj7xbYBRvreLg0HNjotTFv3ubdo1T + CmGkODuotB/mZv0SV0nIYeoiVheIvzqOyByQ8KIF4sjESN5zulHZT3C1ZkD7zbsS + nYZIkPOl4pNjjCRJ3ObjJTSsFThIq5HoeUgVc0SGA+5sdiF7CEHbZ6ApLgQhG8QI + XlPvvYs2E4ctczg3FAVvZX7UsEDdULOo1CTFsNoTV9JeAWjzIHofqqnhszrJDGdE + 0Ifw6YMJhhvO9IFAb5PdQ2zC2JQRvMXvmC22Fuyn5taGK85vXNi8rIsPERNmCFpx + Rqm8teAo4u++CsrWTx1zeCKVlGzWjBJDX5GWNc3ihg== + =Zvuq + -----END PGP MESSAGE----- + fp: 65BD3044771CB6FB + unencrypted_suffix: _unencrypted + version: 3.11.0