{ flake, config, pkgs, lib, ... }: let # hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ]; dkimDNSb12fio = '' default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ; ''; in { age.secrets."b12f.io-dkim-private-rsa" = { file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age"; path = "/var/lib/maddy/dkim_keys/b12f.io_default.key"; mode = "400"; owner = "maddy"; }; age.secrets."mail@b12f.io-password" = { file = "${flake.self}/secrets/mail@b12f.io-password.age"; mode = "400"; owner = "maddy"; }; users.users.maddy.extraGroups = [ "nginx" ]; security.acme.certs = { "mail.b12f.io" = { reloadServices = [ "maddy" ]; }; "b12f.io" = { reloadServices = [ "maddy" ]; }; "mta-sts.b12f.io" = {}; }; services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // { "mta-sts.${hostName}" = { forceSSL = true; useACMEHost = "mta-sts.${hostName}"; locations."/" = { root = pkgs.runCommand "create-well-known-mta-sts" {} '' mkdir -p "$out/.well-known" echo " version: STSv1 mode: enforce max_age: 604800 mx: mail.${hostName} " > "$out/.well-known/mta-sts.txt" ''; tryFiles = "$uri $uri/ =404"; }; }; }) {} [ "b12f.io" ]; systemd.tmpfiles.rules = [ "d '/run/maddy' 0750 maddy maddy - -" ]; system.activationScripts.makeMaddyDKIMDNS = lib.stringAfter [ "var" ] '' mkdir -p /var/lib/maddy/dkim_keys echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns chown -R maddy:maddy /var/lib/maddy ''; networking.firewall.allowedTCPPorts = [ 25 ]; networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 465 587 993 ]; services.maddy = { enable = true; openFirewall = false; hostname = "mail.b12f.io"; primaryDomain = "b12f.io"; localDomains = [ "b12f.io" "mail.b12f.io" ]; ensureAccounts = [ "mail@b12f.io" ]; ensureCredentials = { # Do not use this in production. This will make passwords world-readable # in the Nix store "mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path; }; tls = { loader = "file"; certificates = [ { keyPath = "${config.security.acme.certs."mail.b12f.io".directory}/key.pem"; certPath = "${config.security.acme.certs."mail.b12f.io".directory}/cert.pem"; } { keyPath = "${config.security.acme.certs."b12f.io".directory}/key.pem"; certPath = "${config.security.acme.certs."b12f.io".directory}/cert.pem"; } ]; }; config = '' auth.pass_table local_authdb { table sql_table { driver sqlite3 dsn credentials.db table_name passwords } } storage.imapsql local_mailboxes { driver sqlite3 dsn imapsql.db } table.chain local_rewrites { optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3" optional_step static { entry postmaster postmaster@$(primary_domain) } optional_step file /etc/maddy/aliases } msgpipeline local_routing { check { rspamd { api_path http://localhost:11334 } } modify { replace_rcpt &local_rewrites } # at this point rcpt was normalized to either: # postmaster@$(primary_domain), # local_mailbox_without_tag@$(local_domains), # replacements with alias # destination_in block takes priority over destinations destination_in &local_mailboxes { deliver_to &local_mailboxes } # if rcpt is not in local_mailboxes, but has our domains, # replace rcpt to catchall and deliver it there destination $(local_domains) { modify { replace_rcpt regexp ".*" "mail@$(primary_domain)" } deliver_to &local_mailboxes } default_destination { reject 550 5.1.1 "User doesn't exist" } } smtp tcp://0.0.0.0:25 { limits { all rate 20 1s all concurrency 10 } dmarc yes check { require_mx_record dkim spf } source $(local_domains) { reject 501 5.1.8 "Use Submission for outgoing SMTP" } default_source { destination postmaster $(local_domains) { deliver_to &local_routing } default_destination { reject 550 5.1.1 "User doesn't exist" } } } submission tls://10.13.12.7:465 tls://[fd00:b12f:acab:1312:acab:7::]:465 tcp://10.13.12.7:587 tcp://[fd00:b12f:acab:1312:acab:7::]:587 { limits { all rate 50 1s } auth &local_authdb source $(local_domains) { check { authorize_sender { prepare_email &local_rewrites user_to_email identity } } destination postmaster $(local_domains) { deliver_to &local_routing } default_destination { modify { dkim $(primary_domain) $(local_domains) default } deliver_to &remote_queue } } default_source { reject 501 5.1.8 "Non-local sender domain" } } target.remote outbound_delivery { limits { destination rate 20 1s destination concurrency 10 } mx_auth { dane mtasts { cache fs fs_dir mtasts_cache/ } local_policy { min_tls_level encrypted min_mx_level none } } } target.queue remote_queue { target &outbound_delivery autogenerated_msg_domain $(primary_domain) bounce { destination postmaster $(local_domains) { deliver_to &local_routing } default_destination { reject 550 5.0.0 "Refusing to send DSNs to non-local addresses" } } } imap tls://10.13.12.7:993 tls://[fd00:b12f:acab:1312:acab:7::]:993 { auth &local_authdb storage &local_mailboxes } ''; }; services.rspamd = { enable = true; locals."dkim_signing.conf".text = '' enabled = false; ''; }; systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ]; age.secrets."rclone-pubsolar.conf" = { file = "${flake.self}/secrets/rclone-pubsolar.conf.age"; mode = "400"; }; age.secrets."restic-password" = { file = "${flake.self}/secrets/restic-password.age"; mode = "400"; }; services.restic.backups = { maddy = { paths = [ "/var/lib/maddy" ]; initialize = true; passwordFile = config.age.secrets."restic-password".path; # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ repository = "rclone:cloud.pub.solar:/backups/Maddy"; rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path; }; }; }