migrate to nix flake

flake.lock

@@ -0,0 +1,95 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1633934814,
+        "narHash": "sha256-OF62Alp2ocacmDMzvRWMduITf87lcuGonxn9eg9uGG8=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "b313502c719069cce2dd6fd1d5e7fc5999b21c70",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "release-21.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1633791597,
+        "narHash": "sha256-HzpxqTEnqsjkKWfW87kSI3WVizYjUMQeUjSIm3b5I0Y=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "9bf75dd50b7b6d3ce6aaf6563db95f41438b9bdb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1607522989,
+        "narHash": "sha256-o/jWhOSAlaK7y2M57OIriRt6whuVVocS/T0mG7fd1TI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e9158eca70ae59e73fae23be5d13d3fa0cfc78b4",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "simple-nixos-mailserver": "simple-nixos-mailserver"
+      }
+    },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1622967674,
+        "narHash": "sha256-8RLe6Rqy2rKR/PGDMg/EVsWihsO+DQe/RYmlXdRZkLs=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "5675b122a947b40e551438df6a623efad19fd2e7",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-21.05",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1605370193,
+        "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5021eac20303a61fafe17224c087f5519baed54d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,25 @@
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/release-21.05";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.05";
+  };
+
+  outputs = { self, nixpkgs, nixpkgs-unstable, simple-nixos-mailserver }: {
+    nixosConfigurations.loutreos = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ({ pkgs, ... }: {
+          nix.nixPath = [
+            "nixpkgs=${nixpkgs}"
+          ];
+        })
+        nixpkgs.nixosModules.notDetected
+        "${nixpkgs-unstable}/nixos/modules/services/audio/navidrome.nix"
+        simple-nixos-mailserver.nixosModule
+        ./systems/LoutreOS/configuration.nix
+      ];
+    };
+  };
+}
+

services/mail-server.nix

@@ -1,76 +0,0 @@
-{ lib, config, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.mailserver;
-in
-{
-  options.services.mailserver = {
-    enable = mkEnableOption "Mail Server";
-    domaine = mkOption {
-      type = types.str;
-      example = "example.com";
-      description = "Nom de domaine du serveur de mails";
-    };
-  };
-
-  imports = [
-    (builtins.fetchTarball {
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz";
-      sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
-    })
-  ];
-
-  config = mkIf cfg.enable {
-
-    mailserver = {
-      enable = true;
-      fqdn = "mail.${cfg.domaine}";
-      domains = [ cfg.domaine ];
-
-      # A list of all login accounts. To create the password hashes, use
-      # mkpasswd -m sha-512 "super secret password"
-      loginAccounts = {
-        "paul@${cfg.domaine}" = {
-          hashedPassword = "$6$8wWQbtqVqUoH8$pQKg0bZPcjCbuPvyhjJ1lQy949M/AgfmAye/hDEIVUnCfwtlUxC1yj8CBHpNKeiiXhd8IUqk9r0/IJNvB6okf0";
-        };
-      };
-
-      # Certificate setup
-      certificateScheme = 1;
-      certificateFile = "/var/lib/acme/${cfg.domaine}/fullchain.pem";
-      keyFile = "/var/lib/acme/${cfg.domaine}/key.pem";
-
-      # Enable IMAP and POP3
-      enableImap = true;
-      enablePop3 = true;
-      enableImapSsl = true;
-      enablePop3Ssl = true;
-
-      # Enable the ManageSieve protocol
-      enableManageSieve = true;
-    };
-
-    services.postfix = {
-      relayHost = "mailvps.nyanlout.re";
-      relayPort = 587;
-      config = {
-        smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt";
-        smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key";
-      };
-    };
-
-    security.acme.certs = {
-      "${cfg.domaine}" = {
-        extraDomainNames = [
-          "mail.${cfg.domaine}"
-        ];
-        postRun = ''
-          systemctl reload dovecot2.service
-        '';
-      };
-    };
-
-  };
-}

systems/LoutreOS/configuration.nix

@@ -4,10 +4,6 @@
 
 { config, pkgs, ... }:
 
-let
-  gitRev = "4c45e960e797d660358a11723e736afee3998261";
-  nixpkgs = fetchTarball "https://github.com/nyanloutre/nixpkgs/archive/${gitRev}.tar.gz";
-in
 {
   imports = [
     ../common-cli.nix
@@ -27,10 +23,12 @@ in
     tmpOnTmpfs = true;
   };
 
-  nix.nixPath = [
+  nix = {
-    "nixpkgs=${nixpkgs}"
+    package = pkgs.nixUnstable;
-    "nixos-config=/etc/nixos/configuration.nix"
+    extraOptions = ''
-  ];
+      experimental-features = nix-command flakes
+    '';
+  };
 
   documentation.nixos.enable = false;
 

systems/LoutreOS/hardware-configuration.nix

@@ -4,10 +4,6 @@
 { config, lib, pkgs, ... }:
 
 {
-  imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-    ];
-
   boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];

systems/LoutreOS/services.nix

@@ -26,7 +26,6 @@ in
 
 {
   imports = [
-    ../../services/mail-server.nix
     ../../services/python-ci.nix
     ../../services/sdtdserver.nix
     # ../../containers/vsftpd.nix
@@ -36,7 +35,62 @@ in
     ./web.nix
   ];
 
+  security.acme.certs = {
+    "${domaine}" = {
+      extraDomainNames = [
+        "mail.${domaine}"
+      ];
+      postRun = ''
+        systemctl reload dovecot2.service
+      '';
+    };
+  };
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.${domaine}";
+    domains = [ domaine ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # mkpasswd -m sha-512 "super secret password"
+    loginAccounts = {
+      "paul@${domaine}" = {
+        hashedPassword = "$6$8wWQbtqVqUoH8$pQKg0bZPcjCbuPvyhjJ1lQy949M/AgfmAye/hDEIVUnCfwtlUxC1yj8CBHpNKeiiXhd8IUqk9r0/IJNvB6okf0";
+      };
+      "claire@${domaine}" = {
+        hashedPassword = "$6$Y.vlWP9./DX$NEQQOLzYftbHOvXDkKdBYFAjzIjh8mlpomDuQRq6qkkZijrdy/p6jSbrpBLhoWwVmj4j1OWekHU1f4C9xCNJk.";
+      };
+    };
+
+    # Certificate setup
+    certificateScheme = 1;
+    certificateFile = "/var/lib/acme/${domaine}/fullchain.pem";
+    keyFile = "/var/lib/acme/${domaine}/key.pem";
+
+    # Enable IMAP and POP3
+    enableImap = true;
+    enablePop3 = true;
+    enableImapSsl = true;
+    enablePop3Ssl = true;
+
+    # Enable the ManageSieve protocol
+    enableManageSieve = true;
+  };
+
   services = {
+    postfix = {
+      relayHost = "mailvps.nyanlout.re";
+      relayPort = 587;
+      config = {
+        smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt";
+        smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key";
+      };
+    };
+
+    rspamd.workers.controller.extraConfig = ''
+      secure_ip = ["127.0.0.1", "10.30.135.71"];
+    '';
+
     redis.enable = true;
 
     logrotate = {
@@ -58,11 +112,6 @@ in
 
     fstrim.enable = true;
 
-    mailserver = {
-      enable = true;
-      domaine = domaine;
-    };
-
     syncthing = {
       enable = true;
       dataDir = "/var/lib/syncthing";

systems/LoutreOS/web.nix

@@ -88,7 +88,6 @@ in
       '';
       sso = {
         enable = true;
-        environmentFile = "/mnt/secrets/nginx-sso.env";
         configuration = {
           listen = {
             addr = "127.0.0.1";
@@ -325,4 +324,6 @@ in
     wantedBy = [ "sockets.target" ];
     listenStreams = [ "/run/site-musique.sock" ];
   };
+
+  systemd.services.nginx-sso.serviceConfig.EnvironmentFile = "/mnt/secrets/nginx-sso.env";
 }