Merge branch 'master' of ssh://ssh.nx2.site:50022/nx2/dotfiles

email smtp2go&google relay 2
2026-05-04 03:30:45 +02:00 · 2026-05-04 03:30:43 +02:00
6 changed files with 73 additions and 20 deletions
--- a/sops-secrets.yaml
+++ b/sops-secrets.yaml
--- a/system-modules/networking.nix
+++ b/system-modules/networking.nix
@@ -10,13 +10,15 @@
    };
    enableIPv6 = true;
    firewall.allowedTCPPorts = [ 
-      (pkgs.lib.mkIf config.services.ollama.enable 11434)
-      80
-      443
      8000
      8080
-      (pkgs.lib.mkIf config.services.postfix.enable 587)
-      (pkgs.lib.mkIf config.services.dovecot2.enable 993)
+      (pkgs.lib.mkIf config.services.nginx.enable 80)
+      (pkgs.lib.mkIf config.services.nginx.enable 443)
+      (pkgs.lib.mkIf config.services.ollama.enable 11434)
+      (pkgs.lib.mkIf config.services.maddy.enable 587)
+      (pkgs.lib.mkIf config.services.maddy.enable 465)
+      (pkgs.lib.mkIf config.services.maddy.enable 993)
+      (pkgs.lib.mkIf config.services.maddy.enable 25025)
    ];
  };
 }
--- a/system-modules/nx2site.nix
+++ b/system-modules/nx2site.nix
@@ -91,12 +91,12 @@ def main():
    print(f"*.${hyper.domain}:    {update_record(record_id="${record_id.sub}",   record_name="*.${hyper.domain}",    ip=my_ip,  type="A",    proxied=True,  pw=pw).status_code}")
    print(f"ssh.${hyper.domain}:  {update_record(record_id="${record_id.ssh}",   record_name="ssh.${hyper.domain}",  ip=my_ip,  type="A",    proxied=False, pw=pw).status_code}")
    print(f"dev.${hyper.domain}:  {update_record(record_id="${record_id.dev}",   record_name="dev.${hyper.domain}",  ip=my_ip,  type="A",    proxied=False, pw=pw).status_code}")
-    print(f"mail.${hyper.domain}: {update_record(record_id="${record_id.mail}",   record_name="mail.${hyper.domain}", ip=my_ip,  type="A",    proxied=False, pw=pw).status_code}")
+    # print(f"mail.${hyper.domain}: {update_record(record_id="${record_id.mail}",   record_name="mail.${hyper.domain}", ip=my_ip,  type="A",    proxied=False, pw=pw).status_code}")

    print(f"${hyper.domain}:      {update_record(record_id="${record_id.base6}", record_name="${hyper.domain}",      ip=my_ip6, type="AAAA", proxied=True,  pw=pw).status_code}")
    print(f"*.${hyper.domain}:    {update_record(record_id="${record_id.sub6}",  record_name="*.${hyper.domain}",    ip=my_ip6, type="AAAA", proxied=True,  pw=pw).status_code}")
    print(f"ssh.${hyper.domain}:  {update_record(record_id="${record_id.ssh6}",  record_name="ssh.${hyper.domain}",  ip=my_ip6, type="AAAA", proxied=False, pw=pw).status_code}")
-    print(f"mail.${hyper.domain}: {update_record(record_id="${record_id.mail6}",  record_name="mail.${hyper.domain}", ip=my_ip6, type="AAAA", proxied=False, pw=pw).status_code}")
+    # print(f"mail.${hyper.domain}: {update_record(record_id="${record_id.mail6}",  record_name="mail.${hyper.domain}", ip=my_ip6, type="AAAA", proxied=False, pw=pw).status_code}")

 if __name__ == "__main__":
    main()
--- a/system-modules/nx2site/maddy.nix
+++ b/system-modules/nx2site/maddy.nix
@@ -68,6 +68,36 @@
              deliver_to &remote_queue
          }
      }
+      # nx2s-email-relay backdor
+      smtp tcp://0.0.0.0:25025 {
+          # tls off
+    
+          # 1. Allow incoming mail from the VM for your domains
+          destination postmaster $(local_domains) {
+              deliver_to &local_routing
+          }
+
+          # 2. Prevent the world from using you as an open relay
+          default_destination {
+              reject 521 5.0.0 "User not local"
+          }
+      }
    '';
  };
 }
+
+
+# --- Receive
+# 1. mx to mail.nx2.site
+# 2. mail.nx2.site to nx2s-email-relay (google e2-micro)
+# 3. nx2s-email-relay uses emaul-relay.service to socat 25 to 25025 home
+# 4. home gets 25025 and handles it
+
+# -- Send
+# 1. Via Smtp2go (mail-eu.smtp2go.com)
+# SPF is coverd by CNAME (return) (somehow)
+
+
+
+
+
--- a/system-modules/nx2site/nextcloud.nix
+++ b/system-modules/nx2site/nextcloud.nix
@@ -1,7 +1,7 @@
 { config, pkgs, ... }@all: with all; let 
  user = "nextcloud";
 in {
-  sops.secrets = let ss = { owner = user; group = user; mode = "777"; }; in {
+  sops.secrets = let ss = { owner = user; group = user; mode = "600"; }; in {
    "nx2site/nextcloud/admin_pass" = ss;
    "nx2site/nextcloud/db_pass" = ss;
    "nx2site/nextcloud/lennart_pass" = ss;
@@ -9,6 +9,7 @@ in {
    "nx2site/nextcloud/diane_pass" = ss;
    "nx2site/nextcloud/georg_pass" = ss;
    "nx2site/nextcloud/tessa_pass" = ss;
+    "nx2site/smtp2go/nextcloud_api_key" = ss;
  };
  users.users."${user}" = {
    isSystemUser = true;
@@ -39,17 +40,25 @@ in {
      overwriteProtocol = "https";
      default_phone_region = "DE";
      
+      # # local
+      # "mail_smtpmode" = "smtp";
+      # "mail_smtphost" = "127.0.0.1";
+      # "mail_smtpport" = 2525;
+      # "mail_from_address" = "nextcloud";
+      # "mail_domain" = hyper.domain;
+      # "mail_smtpsecure" = ""; # = STARTTLS
+
      "mail_smtpmode" = "smtp";
-      "mail_smtphost" = "127.0.0.1";
+      "mail_smtphost" = "mail-eu.smtp2go.com";
      "mail_smtpport" = 2525;
      "mail_from_address" = "nextcloud";
      "mail_domain" = hyper.domain;
      "mail_smtpsecure" = ""; # = STARTTLS
-      # "mail_smtpauth" = true;
-      # "mail_smtpauthtype" = "LOGIN";
-      # "mail_smtpname" = "nextcloud@${hyper.domain}";
+      "mail_smtpauth" = true;
+      "mail_smtpauthtype" = "LOGIN";
+      "mail_smtpname" = "nextcloud@${hyper.domain}";
    };
-    secrets."mail_smtppassword" = config.sops.secrets."nx2site/maddy/nextcloud_password".path;
+    secrets."mail_smtppassword" = config.sops.secrets."nx2site/smtp2go/nextcloud_api_key".path;
    # secrets.settings."mail_smtppassword" = config.sops.secrets."nx2site/maddy/nextcloud_password".path;
    config = {
      adminpassFile = config.sops.secrets."nx2site/nextcloud/admin_pass".path;
--- a/system-modules/nx2site/proxy.nix
+++ b/system-modules/nx2site/proxy.nix
@@ -15,7 +15,8 @@
      "${hyper.domain}" = {
        extraDomainNames = builtins.map (subd: "${subd}.${hyper.domain}") [
          "sync"
-          "mail"
+          "ssh"
+          # "mail"
        ];
      };
    };
@@ -116,6 +117,13 @@
        ];
        locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
      };
+      "ssh.${hyper.domain}" = {
+        listen = [
+          { addr = "0.0.0.0"; port = 80; }
+          { addr = "[::0]"; port = 80; }
+        ];
+        locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
+      };
      "matrix.${hyper.domain}" = {
        listen = dl;
        locations."~.*".return = "502";
@@ -204,11 +212,13 @@
      };
      "dev.${hyper.domain}" = vh // {
        listen = dl;
-        locations."/" = { 
+        locations = {
+          "/" = { 
            proxyPass = "http://127.0.0.1:8080";
            proxyWebsockets = true;
          }; 
        };
+      };
      # is done atomatically
      # "owc.${hyper.domain}" = vh // { 
      #   listen = dl;
Author	SHA1	Message	Date
Lennart J. Kurzweg (Nx2)	fc9122be42	Merge branch 'master' of ssh://ssh.nx2.site:50022/nx2/dotfiles	2026-05-04 03:30:45 +02:00
Lennart J. Kurzweg (Nx2)	6ab89d09b7	email smtp2go&google relay 2	2026-05-04 03:30:43 +02:00