fix(ops): delete email config for now

We don't have an email server configured (yet), we can resurrect it once we do. Change-Id: I568075154c6169d031462f39b43ce5897a754f19 Reviewed-on: https://cl.snix.dev/c/snix/+/30109 Autosubmit: Florian Klink <flokli@flokli.de> Tested-by: besadii Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-03-18 17:36:11 +00:00 · 2025-03-18 17:36:11 +00:00 · 9e7cadeded
commit 9e7cadeded
parent ebc924d492
5 changed files with 0 additions and 146 deletions
--- a/ops/dns/dns-snix-dev.tf
+++ b/ops/dns/dns-snix-dev.tf
@ -69,21 +69,6 @@ resource "digitalocean_record" "snix_dev_infra_public01_v6" {
  value    = var.public01_ipv6
 }
 # Email records
 resource "digitalocean_record" "snix_dev_mail_v4" {
  domain  = digitalocean_domain.snix_dev.id
  type    = "A"
  value   = "49.12.112.149"
  name    = "mail"
 }
 resource "digitalocean_record" "snix_dev_mail_v6" {
  domain  = digitalocean_domain.snix_dev.id
  type    = "AAAA"
  value   = "2a01:4f8:c013:3e62::2"
  name    = "mail"
 }
 # Explicit records for all services running on public01
 resource "digitalocean_record" "snix_dev_public01" {
  domain   = digitalocean_domain.snix_dev.id
--- a/ops/hcloud/snix.tf
+++ b/ops/hcloud/snix.tf
@ -81,19 +81,6 @@ resource "hcloud_server" "public01" {
  }
 }
 resource "hcloud_rdns" "mail-v4" {
  floating_ip_id = hcloud_floating_ip.mail.id
  ip_address     = hcloud_floating_ip.mail.ip_address
  dns_ptr        = "mail.snix.dev"
 }
 resource "hcloud_rdns" "mail-v6" {
  server_id  = hcloud_server.public01.id
  # Hardcoded because I don't want to compute it via Terraform.
  ip_address = "2a01:4f8:c013:3e62::2"
  dns_ptr    = "mail.snix.dev"
 }
 resource "hcloud_rdns" "public01-v4" {
  server_id = hcloud_server.public01.id
  ip_address = hcloud_server.public01.ipv4_address
--- a/ops/machines/public01/default.nix
+++ b/ops/machines/public01/default.nix
@ -11,7 +11,6 @@ in
    (mod "hetzner-cloud.nix")
    (mod "forgejo.nix")
    (mod "restic.nix")
    # (mod "stalwart.nix")
    # Automatically enable metric and log collection.
    (mod "o11y/agent.nix")
    (mod "o11y/grafana.nix")
@ -20,7 +19,6 @@ in
    (mod "www/status.snix.dev.nix")
    (mod "www/auth.snix.dev.nix")
    (mod "www/git.snix.dev.nix")
    # (mod "www/mail.snix.dev.nix")
    (mod "known-hosts.nix")
    (depot.third_party.agenix.src + "/modules/age.nix")
@ -32,10 +30,6 @@ in
  infra.hardware.hetzner-cloud = {
    enable = true;
    ipv6 = "2a01:4f8:c013:3e62::1/64";
    # Additional IPs.
    floatingIPs = [
      "49.12.112.149/32"
    ];
  };
  networking = {
@ -69,10 +63,6 @@ in
      domain = "git.snix.dev";
    };
    grafana.enable = true;
    # stalwart = {
    #   enable = true;
    #   mailDomain = "mail.snix.dev";
    # };
    # Configure backups to Hetzner Cloud
    restic = {
      enable = true;
--- a/ops/modules/stalwart.nix
+++ b/ops/modules/stalwart.nix
@ -1,83 +0,0 @@
 # Stalwart is an all-in-one mailserver in Rust.
 # https://stalw.art/
 { config, lib, ... }:
 let
  inherit (lib) mkOption mkEnableOption mkIf types;
  cfg = config.services.depot.stalwart;
  certs = config.security.acme.certs.${cfg.mailDomain} or (throw "NixOS-level ACME was not enabled for `${cfg.mailDomain}`: mailserver cannot autoconfigure!");
  mkBind = port: ip: "${ip}:${toString port}";
 in
 {
  options.services.depot.stalwart = {
    enable = mkEnableOption "Stalwart Mail server";
    listenAddresses = mkOption {
      type = types.listOf types.str;
      default = [
        "49.12.112.149"
        "[2a01:4f8:c013:3e62::2]"
      ];
    };
    mailDomain = mkOption {
      type = types.str;
      description = "The email domain, i.e. the part after @";
      example = "snix.dev";
    };
  };
  config = mkIf cfg.enable {
    # Open only from the listen addresses.
    networking.firewall.allowedTCPPorts = [ 25 587 143 443 ];
    services.stalwart-mail = {
      enable = true;
      settings = {
        certificate.letsencrypt = {
          cert = "file://${certs.directory}/fullchain.pem";
          private-key = "file://${certs.directory}/key.pem";
        };
        server = {
          hostname = cfg.mailDomain;
          tls = {
            certificate = "letsencrypt";
            enable = true;
            implicit = false;
          };
          listener = {
            smtp = {
              bind = map (mkBind 587) cfg.listenAddresses;
              protocol = "smtp";
            };
            imap = {
              bind = map (mkBind 143) cfg.listenAddresses;
              protocol = "imap";
            };
            mgmt = {
              bind = map (mkBind 443) cfg.listenAddresses;
              protocol = "https";
            };
          };
        };
        session = {
          rcpt = {
            directory = "in-memory";
            # Allow this server to be used as a relay for authenticated principals.
            relay = [
              { "if" = "!is_empty(authenticated_as)"; "then" = true; }
              { "else" = false; }
            ];
          };
          auth = {
            mechanisms = [ "PLAIN" ];
            directory = "in-memory";
          };
        };
        jmap.directory = "in-memory";
        queue.outbound.next-hop = [ "local" ];
        directory.in-memory = {
          type = "memory";
        };
      };
    };
  };
 }
--- a/ops/modules/www/mail.snix.dev.nix
+++ b/ops/modules/www/mail.snix.dev.nix
@ -1,25 +0,0 @@
 { config, ... }:
 {
  imports = [
    ./base.nix
  ];
  config = {
    # Listen on a special IPv4 & IPv6 specialized for mail. 
    # This NGINX has only one role: obtain TLS/SSL certificates for the mailserver. 
    # All the TLS, IMAP, SMTP stuff is handled directly by the mailserver runtime. 
    # This is why you will not see any `stream { }` block here.
    services.nginx.virtualHosts.stalwart = {
      serverName = "mail.snix.dev";
      enableACME = true;
      forceSSL = true;
      listenAddresses = [
        "127.0.0.2"
        "49.12.112.149"
        "[2a01:4f8:c013:3e62::2]"
      ];
    };
  };
 }