feat: Add new email alias to mailserver configuration

This commit adds a new email alias to the mailserver configuration. This new addition will allow emails sent to this address to be properly routed and received.
2024-07-05 13:33:35 +02:00 · 2024-07-05 13:33:35 +02:00 · 2710b5eae6
parent 31073cd9d5
commit 2710b5eae6
3 changed files with 155 additions and 0 deletions
--- a/systems/x86_64-linux/sgx-attic/atticd.nix
+++ b/systems/x86_64-linux/sgx-attic/atticd.nix
@ -0,0 +1,55 @@
+{ pkgs, lib, config, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "attic" ];
+    ensureUsers = [{ name = "atticd"; }];
+  };
+
+  systemd.services.postgresql.postStart = lib.mkAfter ''
+    $PSQL -tAc 'ALTER DATABASE "attic" OWNER TO "atticd"'
+  '';
+
+  environment.systemPackages = with pkgs; [
+    attic-client
+  ];
+  services.atticd = {
+    enable = true;
+
+    # Replace with absolute path to your credentials file
+    credentialsFile = "/etc/atticd.env";
+
+    settings = {
+      api-endpoint = "https://attic.teepot.org/";
+
+      garbage-collection.default-retention-period = "3 months";
+
+      database.url = "postgresql:///attic?host=/run/postgresql";
+
+      listen = "[::]:8080";
+
+      # Data chunking
+      #
+      # Warning: If you change any of the values here, it will be
+      # difficult to reuse existing chunks for newly-uploaded NARs
+      # since the cutpoints will be different. As a result, the
+      # deduplication ratio will suffer for a while after the change.
+      chunking = {
+        # The minimum NAR size to trigger chunking
+        #
+        # If 0, chunking is disabled entirely for newly-uploaded NARs.
+        # If 1, all NARs are chunked.
+        nar-size-threshold = 64 * 1024; # 64 KiB
+
+        # The preferred minimum size of a chunk, in bytes
+        min-size = 16 * 1024; # 16 KiB
+
+        # The preferred average size of a chunk, in bytes
+        avg-size = 64 * 1024; # 64 KiB
+
+        # The preferred maximum size of a chunk, in bytes
+        max-size = 256 * 1024; # 256 KiB
+      };
+    };
+  };
+}
--- a/systems/x86_64-linux/sgx-attic/default.nix
+++ b/systems/x86_64-linux/sgx-attic/default.nix
@ -0,0 +1,61 @@
+{ pkgs, lib, config, ... }:
+with lib;
+with lib.metacfg;
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./atticd.nix
+  ];
+
+  boot.kernel.sysctl."net.ipv4.conf.all.route_localnet" = 1;
+  boot.kernelPackages = lib.mkOverride 0 pkgs.linuxPackages_latest;
+
+  networking.firewall.extraCommands = ''
+    iptables -t nat -A OUTPUT -o lo -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081
+    iptables -t nat -A POSTROUTING -j MASQUERADE
+  '';
+
+  metacfg = {
+    base.enable = true;
+    nix-ld.enable = true;
+    nix.enable = true;
+    aesmd_dcap.enable = true;
+    podman.enable = true;
+    user.extraGroups = [ "docker" "sgx" ];
+  };
+
+  environment.etc."sgx_default_qcnl.conf".text = ''
+    {
+      "pccs_url": "https://192.168.122.1:8081/sgx/certification/v4/",
+      "use_secure_cert": false,
+      "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
+      "retry_times": 6,
+      "retry_delay": 10,
+      "pck_cache_expire_hours": 168,
+      "verify_collateral_cache_expire_hours": 168,
+      "local_cache_only": false
+    }
+  '';
+
+  virtualisation = {
+    docker.enable = true;
+    podman.dockerCompat = false;
+  };
+
+  system.autoUpgrade = {
+    enable = true;
+    operation = "switch";
+    allowReboot = true;
+  };
+
+  security.tpm2.enable = false;
+  security.tpm2.abrmd.enable = false;
+
+  networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
+  networking.firewall.allowedTCPPorts = [ 8080 ];
+  networking.firewall.allowPing = true;
+
+  powerManagement.cpuFreqGovernor = "ondemand";
+
+  system.stateVersion = "23.11";
+}
--- a/systems/x86_64-linux/sgx-attic/hardware-configuration.nix
+++ b/systems/x86_64-linux/sgx-attic/hardware-configuration.nix
@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/2d36df53-678c-49a7-9d59-05a1af7661df";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/69FB-9117";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}