os/hosts/frikandel/email.nix

277 lines
7.6 KiB
Nix

{
flake,
config,
pkgs,
lib,
...
}: let
# hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ];
dkimDNSb12fio = ''
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
'';
in {
age.secrets."b12f.io-dkim-private-rsa" = {
file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age";
path = "/var/lib/maddy/dkim_keys/b12f.io_default.key";
mode = "400";
owner = "maddy";
};
age.secrets."mail@b12f.io-password" = {
file = "${flake.self}/secrets/mail@b12f.io-password.age";
mode = "400";
owner = "maddy";
};
users.users.maddy.extraGroups = [ "nginx" ];
security.acme.certs = {
"mail.b12f.io" = {
reloadServices = [ "maddy" ];
};
"b12f.io" = {
reloadServices = [ "maddy" ];
};
"mta-sts.b12f.io" = {};
};
services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // {
"mta-sts.${hostName}" = {
forceSSL = true;
useACMEHost = "mta-sts.${hostName}";
locations."/" = {
root = pkgs.runCommand "create-well-known-mta-sts" {} ''
mkdir -p "$out/.well-known"
echo "
version: STSv1
mode: enforce
max_age: 604800
mx: mail.${hostName}
" > "$out/.well-known/mta-sts.txt"
'';
tryFiles = "$uri $uri/ =404";
};
};
}) {} [ "b12f.io" ];
systemd.tmpfiles.rules = [
"d '/run/maddy' 0750 maddy maddy - -"
];
system.activationScripts.makeMaddyDKIMDNS = lib.stringAfter [ "var" ] ''
mkdir -p /var/lib/maddy/dkim_keys
echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns
chown -R maddy:maddy /var/lib/maddy
'';
networking.firewall.allowedTCPPorts = [ 25 ];
networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 465 587 993 ];
services.maddy = {
enable = true;
openFirewall = false;
hostname = "mail.b12f.io";
primaryDomain = "b12f.io";
localDomains = [
"b12f.io"
"mail.b12f.io"
];
ensureAccounts = [
"mail@b12f.io"
];
ensureCredentials = {
# Do not use this in production. This will make passwords world-readable
# in the Nix store
"mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path;
};
tls = {
loader = "file";
certificates = [
{
keyPath = "${config.security.acme.certs."mail.b12f.io".directory}/key.pem";
certPath = "${config.security.acme.certs."mail.b12f.io".directory}/cert.pem";
}
{
keyPath = "${config.security.acme.certs."b12f.io".directory}/key.pem";
certPath = "${config.security.acme.certs."b12f.io".directory}/cert.pem";
}
];
};
config = ''
auth.pass_table local_authdb {
table sql_table {
driver sqlite3
dsn credentials.db
table_name passwords
}
}
storage.imapsql local_mailboxes {
driver sqlite3
dsn imapsql.db
}
table.chain local_rewrites {
optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
optional_step static {
entry postmaster postmaster@$(primary_domain)
}
optional_step file /etc/maddy/aliases
}
msgpipeline local_routing {
check {
rspamd {
api_path http://localhost:11334
}
}
modify {
replace_rcpt &local_rewrites
}
# at this point rcpt was normalized to either:
# postmaster@$(primary_domain),
# local_mailbox_without_tag@$(local_domains),
# replacements with alias
# destination_in block takes priority over destinations
destination_in &local_mailboxes {
deliver_to &local_mailboxes
}
# if rcpt is not in local_mailboxes, but has our domains,
# replace rcpt to catchall and deliver it there
destination $(local_domains) {
modify {
replace_rcpt regexp ".*" "mail@$(primary_domain)"
}
deliver_to &local_mailboxes
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
smtp tcp://0.0.0.0:25 {
limits {
all rate 20 1s
all concurrency 10
}
dmarc yes
check {
require_mx_record
dkim
spf
}
source $(local_domains) {
reject 501 5.1.8 "Use Submission for outgoing SMTP"
}
default_source {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
}
submission tls://10.13.12.7:465 tls://[fd00:b12f:acab:1312:acab:7::]:465 tcp://10.13.12.7:587 tcp://[fd00:b12f:acab:1312:acab:7::]:587 {
limits {
all rate 50 1s
}
auth &local_authdb
source $(local_domains) {
check {
authorize_sender {
prepare_email &local_rewrites
user_to_email identity
}
}
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
modify {
dkim $(primary_domain) $(local_domains) default
}
deliver_to &remote_queue
}
}
default_source {
reject 501 5.1.8 "Non-local sender domain"
}
}
target.remote outbound_delivery {
limits {
destination rate 20 1s
destination concurrency 10
}
mx_auth {
dane
mtasts {
cache fs
fs_dir mtasts_cache/
}
local_policy {
min_tls_level encrypted
min_mx_level none
}
}
}
target.queue remote_queue {
target &outbound_delivery
autogenerated_msg_domain $(primary_domain)
bounce {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
}
}
}
imap tls://10.13.12.7:993 tls://[fd00:b12f:acab:1312:acab:7::]:993 {
auth &local_authdb
storage &local_mailboxes
}
'';
};
services.rspamd = {
enable = true;
locals."dkim_signing.conf".text = ''
enabled = false;
'';
};
systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];
age.secrets."rclone-pubsolar.conf" = {
file = "${flake.self}/secrets/rclone-pubsolar.conf.age";
mode = "400";
};
age.secrets."restic-password" = {
file = "${flake.self}/secrets/restic-password.age";
mode = "400";
};
services.restic.backups = {
maddy = {
paths = [ "/var/lib/maddy" ];
initialize = true;
passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/Maddy";
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
};
};
}