email: fix maddy email config for smtp submission

initrd: take publicKeys from flake config
2024-03-25 19:13:19 +01:00 · 2024-03-25 19:12:45 +01:00
7 changed files with 29 additions and 40 deletions
--- a/hosts/droppie/configuration.nix
+++ b/hosts/droppie/configuration.nix
@ -29,7 +29,7 @@ in {
    ssh = {
      enable = true;
      port = 2222;
-      authorizedKeys = psCfg.user.publicKeys;
+      authorizedKeys = flake.self.publicKeys;
      hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
      shell = "/bin/cryptsetup-askpass";
    };
--- a/hosts/frikandel/configuration.nix
+++ b/hosts/frikandel/configuration.nix
@ -2,6 +2,7 @@
  config,
  pkgs,
  lib,
+  flake,
  ...
 }:
 with lib; let
@ -25,7 +26,7 @@ in {
      enable = true;
      port = 2222;
      hostKeys = [ /boot/initrd-ssh-key ];
-      authorizedKeys = psCfg.user.publicKeys;
+      authorizedKeys = flake.self.publicKeys;
      shell = "/bin/cryptsetup-askpass";
    };
    postCommands = ''
--- a/hosts/frikandel/email.nix
+++ b/hosts/frikandel/email.nix
@ -5,7 +5,7 @@
  lib,
  ...
 }: let
-  hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ];
+  # hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ];
  dkimDNSb12fio = ''
  default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
  '';
@ -28,13 +28,11 @@ in {
  security.acme.certs = {
    "mail.b12f.io" = {
      reloadServices = [ "maddy" ];
-      group = "maddy";
    };
    "b12f.io" = {
      reloadServices = [ "maddy" ];
    };
    "mta-sts.b12f.io" = {};
-    "mta-sts.${hzDomain}" = {};
  };

  services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // {
@ -54,7 +52,7 @@ in {
          tryFiles = "$uri $uri/ =404";
        };
      };
-    }) {} [ "b12f.io" hzDomain ];
+    }) {} [ "b12f.io" ];

  systemd.tmpfiles.rules = [
    "d '/run/maddy' 0750 maddy maddy - -"
@ -64,15 +62,21 @@ in {
    mkdir -p /var/lib/maddy/dkim_keys

    echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns
+    chown -R maddy:maddy /var/lib/maddy
  '';

-  networking.firewall.allowedTCPPorts = [ 25 587 993 ];
+  networking.firewall.allowedTCPPorts = [ 25 ];
+  networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 465 587 993 ];

  services.maddy = {
    enable = true;
    openFirewall = false;
    hostname = "mail.b12f.io";
    primaryDomain = "b12f.io";
+    localDomains = [
+      "b12f.io"
+      "mail.b12f.io"
+    ];
    ensureAccounts = [
      "mail@b12f.io"
    ];
@ -95,10 +99,6 @@ in {
      ];
    };
    config = ''
-      # Minimal configuration with TLS disabled, adapted from upstream example
-      # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
-      # Do not use this in production!
-
      auth.pass_table local_authdb {
        table sql_table {
          driver sqlite3
@ -179,7 +179,7 @@ in {
        }
      }

-      submission tls://0.0.0.0:587 {
+      submission tls://10.13.12.7:465 tls://[fd00:b12f:acab:1312:acab:7::]:465 tcp://10.13.12.7:587 tcp://[fd00:b12f:acab:1312:acab:7::]:587 {
        limits {
          all rate 50 1s
        }
@ -237,7 +237,7 @@ in {
        }
      }

-      imap tls://0.0.0.0:993 {
+      imap tls://10.13.12.7:993 tls://[fd00:b12f:acab:1312:acab:7::]:993 {
        auth &local_authdb
        storage &local_mailboxes
      }
--- a/hosts/frikandel/nginx.nix
+++ b/hosts/frikandel/nginx.nix
@ -16,6 +16,8 @@
    recommendedProxySettings = true;

    defaultListenAddresses = [
+      "10.13.12.7"
+      "[fd00:b12f:acab:1312:acab:7::]"
      "128.140.109.213"
      "[2a01:4f8:c2c:b60::]"
    ];
--- a/hosts/frikandel/unbound.nix
+++ b/hosts/frikandel/unbound.nix
@ -29,8 +29,8 @@
    owner = "unbound";
  };

-  networking.firewall.allowedUDPPorts = [ 53 ];
-  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.interfaces.wg-private.allowedUDPPorts = [ 53 ];
+  networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 53 ];
  services.resolved.enable = false;

  services.unbound = {
@ -81,6 +81,10 @@

          "\"frikandel.b12f.io. 10800 IN A 10.13.12.7\""
          "\"frikandel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
+          "\"b12f.io. 10800 IN A 10.13.12.7\""
+          "\"b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
+          "\"mail.b12f.io. 10800 IN A 10.13.12.7\""
+          "\"mail.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
        ];

        tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
--- a/hosts/pie/configuration.nix
+++ b/hosts/pie/configuration.nix
@ -2,6 +2,7 @@
  config,
  pkgs,
  lib,
+  flake,
  ...
 }:
 with lib; let
@ -34,7 +35,7 @@ in {
    ssh = {
      enable = true;
      port = 2222;
-      authorizedKeys = psCfg.user.publicKeys;
+      authorizedKeys = flake.self.publicKeys;
      hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
      shell = "/bin/cryptsetup-askpass";
    };
--- a/users/b12f/email/.config/msmtp/config
+++ b/users/b12f/email/.config/msmtp/config
@ -1,82 +1,63 @@
+defaults
+  auth           on
+  tls            on
+  tls_trust_file /etc/ssl/certs/ca-certificates.crt
+
 account hello@benjaminbaedorf.eu
  host mail.hosting.de
  port 587
  protocol smtp
-  auth on
  from hello@benjaminbaedorf.eu
  user hello@benjaminbaedorf.eu
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt

 account benjamin.baedorf@rwth-aachen.de
  host mail.rwth-aachen.de
  port 587
  protocol smtp
-  auth on
  from benjamin.baedorf@rwth-aachen.de
  user bb564306@rwth-aachen.de
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt

 account byb@miom.space
  host mail.hosting.de
  port 587
  protocol smtp
-  auth on
  from byb@miom.space
  user byb@miom.space
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt

 account admins@pub.solar
  host mail.greenbaum.zone
  port 587
  protocol smtp
-  auth on
  from admins@pub.solar
  user admins@pub.solar
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt

 account crew@pub.solar
  host mail.greenbaum.zone
  port 587
  protocol smtp
-  auth on
  from crew@pub.solar
  user crew@pub.solar
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt

 account mail@b12f.io
  host mail.b12f.io
  port 587
  protocol smtp
-  auth on
  from mail@b12f.io
  user mail@b12f.io
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt

 account benjamin.yule.baedorf@verkstedt.com
  host smtp.gmail.com
  port 587
  protocol smtp
-  auth on
  from benjamin.yule.baedorf@verkstedt.com
  user benjamin.yule.baedorf@verkstedt.com
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt

 account benjamin-yule.baedorf@ext.ehealthexperts.de
  host smtp.mailbox.org
  port 587
  protocol smtp
-  auth on
  from benjamin-yule.baedorf@ext.ehealthexperts.de
  user benjamin-yule.baedorf@ext.ehealthexperts.de
-  tls on
-  tls_trust_file /etc/ssl/certs/ca-certificates.crt


 account default : hello@benjaminbaedorf.eu
Author	SHA1	Message	Date
Benjamin Yule Bädorf	dd43281a4a	email: fix maddy email config for smtp submission	2024-03-25 19:13:19 +01:00
Benjamin Yule Bädorf	f3804d23cc	initrd: take publicKeys from flake config	2024-03-25 19:12:45 +01:00