From 9e7cadeded5b13abb362c7f4a6fc78215c3e1c3f Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Tue, 18 Mar 2025 17:36:11 +0000
Subject: [PATCH] fix(ops): delete email config for now

We don't have an email server configured (yet), we can resurrect it once
we do.

Change-Id: I568075154c6169d031462f39b43ce5897a754f19
Reviewed-on: https://cl.snix.dev/c/snix/+/30109
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
---
 ops/dns/dns-snix-dev.tf           | 15 ------
 ops/hcloud/snix.tf                | 13 -----
 ops/machines/public01/default.nix | 10 ----
 ops/modules/stalwart.nix          | 83 -------------------------------
 ops/modules/www/mail.snix.dev.nix | 25 ----------
 5 files changed, 146 deletions(-)
 delete mode 100644 ops/modules/stalwart.nix
 delete mode 100644 ops/modules/www/mail.snix.dev.nix

diff --git a/ops/dns/dns-snix-dev.tf b/ops/dns/dns-snix-dev.tf
index add0fac2f..8456e5ec7 100644
--- a/ops/dns/dns-snix-dev.tf
+++ b/ops/dns/dns-snix-dev.tf
@@ -69,21 +69,6 @@ resource "digitalocean_record" "snix_dev_infra_public01_v6" {
   value    = var.public01_ipv6
 }
 
-# Email records
-resource "digitalocean_record" "snix_dev_mail_v4" {
-  domain  = digitalocean_domain.snix_dev.id
-  type    = "A"
-  value   = "49.12.112.149"
-  name    = "mail"
-}
-
-resource "digitalocean_record" "snix_dev_mail_v6" {
-  domain  = digitalocean_domain.snix_dev.id
-  type    = "AAAA"
-  value   = "2a01:4f8:c013:3e62::2"
-  name    = "mail"
-}
-
 # Explicit records for all services running on public01
 resource "digitalocean_record" "snix_dev_public01" {
   domain   = digitalocean_domain.snix_dev.id
diff --git a/ops/hcloud/snix.tf b/ops/hcloud/snix.tf
index 08adb9da6..38eb64e7a 100644
--- a/ops/hcloud/snix.tf
+++ b/ops/hcloud/snix.tf
@@ -81,19 +81,6 @@ resource "hcloud_server" "public01" {
   }
 }
 
-resource "hcloud_rdns" "mail-v4" {
-  floating_ip_id = hcloud_floating_ip.mail.id
-  ip_address     = hcloud_floating_ip.mail.ip_address
-  dns_ptr        = "mail.snix.dev"
-}
-
-resource "hcloud_rdns" "mail-v6" {
-  server_id  = hcloud_server.public01.id
-  # Hardcoded because I don't want to compute it via Terraform.
-  ip_address = "2a01:4f8:c013:3e62::2"
-  dns_ptr    = "mail.snix.dev"
-}
-
 resource "hcloud_rdns" "public01-v4" {
   server_id = hcloud_server.public01.id
   ip_address = hcloud_server.public01.ipv4_address
diff --git a/ops/machines/public01/default.nix b/ops/machines/public01/default.nix
index 818eaca4c..50bd32543 100644
--- a/ops/machines/public01/default.nix
+++ b/ops/machines/public01/default.nix
@@ -11,7 +11,6 @@ in
     (mod "hetzner-cloud.nix")
     (mod "forgejo.nix")
     (mod "restic.nix")
-    # (mod "stalwart.nix")
     # Automatically enable metric and log collection.
     (mod "o11y/agent.nix")
     (mod "o11y/grafana.nix")
@@ -20,7 +19,6 @@ in
     (mod "www/status.snix.dev.nix")
     (mod "www/auth.snix.dev.nix")
     (mod "www/git.snix.dev.nix")
-    # (mod "www/mail.snix.dev.nix")
     (mod "known-hosts.nix")
 
     (depot.third_party.agenix.src + "/modules/age.nix")
@@ -32,10 +30,6 @@ in
   infra.hardware.hetzner-cloud = {
     enable = true;
     ipv6 = "2a01:4f8:c013:3e62::1/64";
-    # Additional IPs.
-    floatingIPs = [
-      "49.12.112.149/32"
-    ];
   };
 
   networking = {
@@ -69,10 +63,6 @@ in
       domain = "git.snix.dev";
     };
     grafana.enable = true;
-    # stalwart = {
-    #   enable = true;
-    #   mailDomain = "mail.snix.dev";
-    # };
     # Configure backups to Hetzner Cloud
     restic = {
       enable = true;
diff --git a/ops/modules/stalwart.nix b/ops/modules/stalwart.nix
deleted file mode 100644
index e53226088..000000000
--- a/ops/modules/stalwart.nix
+++ /dev/null
@@ -1,83 +0,0 @@
-# Stalwart is an all-in-one mailserver in Rust.
-# https://stalw.art/
-{ config, lib, ... }:
-let
-  inherit (lib) mkOption mkEnableOption mkIf types;
-  cfg = config.services.depot.stalwart;
-  certs = config.security.acme.certs.${cfg.mailDomain} or (throw "NixOS-level ACME was not enabled for `${cfg.mailDomain}`: mailserver cannot autoconfigure!");
-  mkBind = port: ip: "${ip}:${toString port}";
-in
-{
-  options.services.depot.stalwart = {
-    enable = mkEnableOption "Stalwart Mail server";
-
-    listenAddresses = mkOption {
-      type = types.listOf types.str;
-      default = [
-        "49.12.112.149"
-        "[2a01:4f8:c013:3e62::2]"
-      ];
-    };
-
-    mailDomain = mkOption {
-      type = types.str;
-      description = "The email domain, i.e. the part after @";
-      example = "snix.dev";
-    };
-  };
-
-  config = mkIf cfg.enable {
-    # Open only from the listen addresses.
-    networking.firewall.allowedTCPPorts = [ 25 587 143 443 ];
-    services.stalwart-mail = {
-      enable = true;
-      settings = {
-        certificate.letsencrypt = {
-          cert = "file://${certs.directory}/fullchain.pem";
-          private-key = "file://${certs.directory}/key.pem";
-        };
-        server = {
-          hostname = cfg.mailDomain;
-          tls = {
-            certificate = "letsencrypt";
-            enable = true;
-            implicit = false;
-          };
-          listener = {
-            smtp = {
-              bind = map (mkBind 587) cfg.listenAddresses;
-              protocol = "smtp";
-            };
-            imap = {
-              bind = map (mkBind 143) cfg.listenAddresses;
-              protocol = "imap";
-            };
-            mgmt = {
-              bind = map (mkBind 443) cfg.listenAddresses;
-              protocol = "https";
-            };
-          };
-        };
-        session = {
-          rcpt = {
-            directory = "in-memory";
-            # Allow this server to be used as a relay for authenticated principals.
-            relay = [
-              { "if" = "!is_empty(authenticated_as)"; "then" = true; }
-              { "else" = false; }
-            ];
-          };
-          auth = {
-            mechanisms = [ "PLAIN" ];
-            directory = "in-memory";
-          };
-        };
-        jmap.directory = "in-memory";
-        queue.outbound.next-hop = [ "local" ];
-        directory.in-memory = {
-          type = "memory";
-        };
-      };
-    };
-  };
-}
diff --git a/ops/modules/www/mail.snix.dev.nix b/ops/modules/www/mail.snix.dev.nix
deleted file mode 100644
index 3aceaaec4..000000000
--- a/ops/modules/www/mail.snix.dev.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ config, ... }:
-
-{
-  imports = [
-    ./base.nix
-  ];
-
-  config = {
-    # Listen on a special IPv4 & IPv6 specialized for mail. 
-    # This NGINX has only one role: obtain TLS/SSL certificates for the mailserver. 
-    # All the TLS, IMAP, SMTP stuff is handled directly by the mailserver runtime. 
-    # This is why you will not see any `stream { }` block here.
-    services.nginx.virtualHosts.stalwart = {
-      serverName = "mail.snix.dev";
-      enableACME = true;
-      forceSSL = true;
-
-      listenAddresses = [
-        "127.0.0.2"
-        "49.12.112.149"
-        "[2a01:4f8:c013:3e62::2]"
-      ];
-    };
-  };
-}