{ flake, config, pkgs, lib, ... }: let hzDomain = lib.concatStrings ["hw" "dz" "z." "net"]; dkimDNSb12fio = '' default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ; ''; dkimDNSmezzabiz = '' default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8iuDq0eon2k7QlBJWGxwDiEv53iJQu2uqxOjr7Ul/nfQjuR6kVKs6oOVopnyFTGRpffrpSHHW1YUN5nF76p0fJphk4l+QmJP36/xweajsNU27PAkb88xG6yRKl28MCfPdMR96+Jobpei8S0UhqcskYs1aZybm7ci9ZuAMidziwIDAQAB" ) ; ''; dkimDNShzDomain = '' default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvVA2XZno6g6qBdmxoLgX2Qmd883M6yV4YkE/VaNH6xcR0AcTo4hEYoAOPryfKn4FE/TYvyk/k2cyBKpMBn2qbVhwUavYQh/e9bweS2FKQvdzCUUoqXk04o2MqSXb2ZFwkUCtfrPcckBgpF754PDL4HMZGPnkMSdDX7bmYe37CWQIDAQAB") ; ''; in { age.secrets."b12f.io-dkim-private-rsa" = { file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age"; path = "/var/lib/maddy/dkim_keys/b12f.io_default.key"; mode = "400"; owner = "maddy"; }; age.secrets."mail@b12f.io-password" = { file = "${flake.self}/secrets/mail@b12f.io-password.age"; mode = "400"; owner = "maddy"; }; age.secrets."mezza.biz-dkim-private-rsa" = { file = "${flake.self}/secrets/mezza.biz-dkim-private-rsa.age"; path = "/var/lib/maddy/dkim_keys/mezza.biz_default.key"; mode = "400"; owner = "maddy"; }; age.secrets."mail@mezza.biz-password" = { file = "${flake.self}/secrets/mail@mezza.biz-password.age"; mode = "400"; owner = "maddy"; }; age.secrets."hzdomain-dkim-private-rsa" = { file = "${flake.self}/secrets/hzdomain-dkim-private-rsa.age"; path = "/var/lib/maddy/dkim_keys/hzdomain_default.key"; mode = "400"; owner = "maddy"; }; age.secrets."mail@hzdomain-password" = { file = "${flake.self}/secrets/mail@hzdomain-password.age"; mode = "400"; owner = "maddy"; }; users.users.maddy.extraGroups = ["nginx"]; security.acme.certs = { "mail.b12f.io".reloadServices = ["maddy"]; "b12f.io".reloadServices = ["maddy"]; "mta-sts.b12f.io" = {}; "mail.mezza.biz".reloadServices = ["maddy"]; "mezza.biz".reloadServices = ["maddy"]; "mta-sts.mezza.biz" = {}; "mail.${hzDomain}".reloadServices = ["maddy"]; "${hzDomain}".reloadServices = ["maddy"]; "mta-sts.${hzDomain}" = {}; }; services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // { "mta-sts.${hostName}" = { forceSSL = true; useACMEHost = "mta-sts.${hostName}"; locations."/" = { root = pkgs.runCommand "create-well-known-mta-sts" {} '' mkdir -p "$out/.well-known" echo " version: STSv1 mode: enforce max_age: 604800 mx: mail.${hostName} " > "$out/.well-known/mta-sts.txt" ''; tryFiles = "$uri $uri/ =404"; }; }; }) {} ["b12f.io" "mezza.biz" hzDomain]; systemd.tmpfiles.rules = [ "d '/run/maddy' 0750 maddy maddy - -" ]; system.activationScripts.makeMaddyDKIMDNS = lib.stringAfter ["var"] '' mkdir -p /var/lib/maddy/dkim_keys echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns echo '${dkimDNSmezzabiz}' >> /var/lib/maddy/dkim_keys/mezza.biz_default.dns echo '${dkimDNShzDomain}' >> /var/lib/maddy/dkim_keys/${hzDomain}_default.dns chown -R maddy:maddy /var/lib/maddy ''; networking.firewall.allowedTCPPorts = [25]; networking.firewall.interfaces.wg-private.allowedTCPPorts = [465 587 993]; services.maddy = { enable = true; openFirewall = false; hostname = "mail.b12f.io"; primaryDomain = "b12f.io"; localDomains = [ "b12f.io" "mail.b12f.io" "mezza.biz" "mail.mezza.biz" hzDomain "mail.${hzDomain}" ]; ensureAccounts = [ "mail@b12f.io" "mail@mezza.biz" "mail@${hzDomain}" ]; ensureCredentials = { # Do not use this in production. This will make passwords world-readable # in the Nix store "mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path; "mail@mezza.biz".passwordFile = config.age.secrets."mail@mezza.biz-password".path; "mail@${hzDomain}".passwordFile = config.age.secrets."mail@hzdomain-password".path; }; tls = { loader = "file"; certificates = [ { keyPath = "${config.security.acme.certs."mail.b12f.io".directory}/key.pem"; certPath = "${config.security.acme.certs."mail.b12f.io".directory}/cert.pem"; } { keyPath = "${config.security.acme.certs."b12f.io".directory}/key.pem"; certPath = "${config.security.acme.certs."b12f.io".directory}/cert.pem"; } { keyPath = "${config.security.acme.certs."mail.mezza.biz".directory}/key.pem"; certPath = "${config.security.acme.certs."mail.mezza.biz".directory}/cert.pem"; } { keyPath = "${config.security.acme.certs."mezza.biz".directory}/key.pem"; certPath = "${config.security.acme.certs."mezza.biz".directory}/cert.pem"; } { keyPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/key.pem"; certPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/cert.pem"; } { keyPath = "${config.security.acme.certs."${hzDomain}".directory}/key.pem"; certPath = "${config.security.acme.certs."${hzDomain}".directory}/cert.pem"; } ]; }; config = '' auth.pass_table local_authdb { table sql_table { driver sqlite3 dsn credentials.db table_name passwords } } storage.imapsql local_mailboxes { driver sqlite3 dsn imapsql.db } table.chain local_rewrites { optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3" optional_step static { entry postmaster postmaster@$(primary_domain) } optional_step file /etc/maddy/aliases } msgpipeline local_routing { check { rspamd { api_path http://localhost:11334 } } modify { replace_rcpt &local_rewrites } # at this point rcpt was normalized to either: # postmaster@$(primary_domain), # local_mailbox_without_tag@$(local_domains), # replacements with alias # destination_in block takes priority over destinations destination_in &local_mailboxes { deliver_to &local_mailboxes } # if rcpt is not in local_mailboxes, but has our domains, # replace rcpt to catchall and deliver it there destination $(local_domains) { modify { replace_rcpt regexp ".*" "mail@$(primary_domain)" } deliver_to &local_mailboxes } default_destination { reject 550 5.1.1 "User doesn't exist" } } smtp tcp://0.0.0.0:25 { limits { all rate 20 1s all concurrency 10 } dmarc yes check { require_mx_record dkim spf } source $(local_domains) { reject 501 5.1.8 "Use Submission for outgoing SMTP" } default_source { destination postmaster $(local_domains) { deliver_to &local_routing } default_destination { reject 550 5.1.1 "User doesn't exist" } } } submission tls://10.13.12.7:465 tls://[fd00:b12f:acab:1312:acab:7::]:465 tcp://10.13.12.7:587 tcp://[fd00:b12f:acab:1312:acab:7::]:587 { limits { all rate 50 1s } auth &local_authdb source $(local_domains) { check { authorize_sender { prepare_email &local_rewrites user_to_email identity } } destination postmaster $(local_domains) { deliver_to &local_routing } default_destination { modify { dkim $(primary_domain) $(local_domains) default } deliver_to &remote_queue } } default_source { reject 501 5.1.8 "Non-local sender domain" } } target.remote outbound_delivery { limits { destination rate 20 1s destination concurrency 10 } mx_auth { dane mtasts { cache fs fs_dir mtasts_cache/ } local_policy { min_tls_level encrypted min_mx_level none } } } target.queue remote_queue { target &outbound_delivery autogenerated_msg_domain $(primary_domain) bounce { destination postmaster $(local_domains) { deliver_to &local_routing } default_destination { reject 550 5.0.0 "Refusing to send DSNs to non-local addresses" } } } imap tls://10.13.12.7:993 tls://[fd00:b12f:acab:1312:acab:7::]:993 { auth &local_authdb storage &local_mailboxes } ''; }; services.rspamd = { enable = true; locals."dkim_signing.conf".text = '' enabled = false; ''; }; systemd.services.rspamd.serviceConfig.SupplementaryGroups = ["maddy"]; age.secrets."rclone-pubsolar.conf" = { file = "${flake.self}/secrets/rclone-pubsolar.conf.age"; mode = "400"; }; age.secrets."restic-password" = { file = "${flake.self}/secrets/restic-password.age"; mode = "400"; }; services.restic.backups = { maddy = { paths = ["/var/lib/maddy"]; initialize = true; passwordFile = config.age.secrets."restic-password".path; # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ repository = "rclone:cloud.pub.solar:/backups/Maddy"; rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path; }; }; }