b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
os/hosts/frikandel/email.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

108 lines
2.5 KiB
Nix
Raw Normal View History

feat: init mailing
2023-11-12 17:33:58 +00:00
{
feat: add unbound control
2023-11-13 14:48:05 +00:00
flake,
config,
feat: init mailing
2023-11-12 17:33:58 +00:00
pkgs,
lib,
...
feat: add unbound control
2023-11-13 14:48:05 +00:00
}: let
restartMaddyOnCertRenewal = pkgs.writeShellScriptBin "restart-maddy-on-cert-renewal" ''
if [ "$1" == "mail.b12f.io"]; then
${pkgs.systemd}/bin/systemctl restart maddy.service;
fi
'';
in {
age.secrets."b12f.io-dkim-private-rsa" = {
file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age";
mode = "400";
owner = "rspamd";
};
feat: init mailing
2023-11-12 17:33:58 +00:00
age.secrets."mail@b12f.io-password" = {
file = "${flake.self}/secrets/mail@b12f.io-password.age";
mode = "400";
feat: add unbound control
2023-11-13 14:48:05 +00:00
owner = "maddy";
feat: init mailing
2023-11-12 17:33:58 +00:00
};
feat: add unbound control
2023-11-13 14:48:05 +00:00
services.caddy = {
globalConfig = ''
events {
on cert_obtained exec ${restartMaddyOnCertRenewal}/bin/restart-maddy-on-cert-renewal {event.data.name}
}
'';
virtualHosts = {
"mail.b12f.io".extraConfig = ''
feat: more email, like dns
2023-11-12 20:45:02 +00:00
respond "404 Not Found"
'';
feat: add unbound control
2023-11-13 14:48:05 +00:00
"mta-sts.b12f.io".extraConfig = ''
encode gzip
file_server
root * ${
pkgs.runCommand "testdir" {} ''
mkdir -p "$out/.well-known"
echo "
version: STSv1
mode: enforce
max_age: 604800
mx: mail.b12f.io
" > "$out/.well-known/mta-sts.txt"
''
}
'';
feat: more email, like dns
2023-11-12 20:45:02 +00:00
};
};
feat: init mailing
2023-11-12 17:33:58 +00:00
services.maddy = {
feat: more email, like dns
2023-11-12 20:45:02 +00:00
enable = false;
openFirewall = true;
feat: add unbound control
2023-11-13 14:48:05 +00:00
hostname = "mail.b12f.io";
feat: init mailing
2023-11-12 17:33:58 +00:00
primaryDomain = "b12f.io";
ensureAccounts = [
"mail@b12f.io"
];
ensureCredentials = {
# Do not use this in production. This will make passwords world-readable
# in the Nix store
feat: add unbound control
2023-11-13 14:48:05 +00:00
"mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path;
feat: init mailing
2023-11-12 17:33:58 +00:00
};
tls = {
certificates = [
{
feat: add unbound control
2023-11-13 14:48:05 +00:00
keyPath = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.b12f.io/mail.b12f.io.key";
certPath = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.b12f.io/mail.b12f.io.crt";
feat: init mailing
2023-11-12 17:33:58 +00:00
}
];
};
feat: add unbound control
2023-11-13 14:48:05 +00:00
config = (builtins.replaceStrings ["msgpipeline local_routing {"] [''msgpipeline local_routing {
check {
rspamd {
api_path http://localhost:11334
}
}''] config.services.maddy.config.default) ++ ''
modify {
domains b12f.io
selector default
key_path ${config.age.secrets."b12f.io-dkim-private-rsa".path}
}
'';
feat: init mailing
2023-11-12 17:33:58 +00:00
};
feat: add unbound control
2023-11-13 14:48:05 +00:00
services.rspamd = {
enable = true;
locals."dkim_signing.conf".text = ''
enabled = false;
'';
};
systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];
feat: init mailing
2023-11-12 17:33:58 +00:00
}
Reference in a new issue Copy permalink