os/hosts/frikandel/email.nix

{
  flake,
  config,
  pkgs,
  lib,
  ...
}: let
  # hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ];
  dkimDNSb12fio = ''
  default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
  '';
in {
  age.secrets."b12f.io-dkim-private-rsa" = {
    file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age";
    path = "/var/lib/maddy/dkim_keys/b12f.io_default.key";
    mode = "400";
    owner = "maddy";
  };

  age.secrets."mail@b12f.io-password" = {
    file = "${flake.self}/secrets/mail@b12f.io-password.age";
    mode = "400";
    owner = "maddy";
  };

  users.users.maddy.extraGroups = [ "nginx" ];

  security.acme.certs = {
    "mail.b12f.io" = {
      reloadServices = [ "maddy" ];
    };
    "b12f.io" = {
      reloadServices = [ "maddy" ];
    };
    "mta-sts.b12f.io" = {};
  };

  services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // {
      "mta-sts.${hostName}" = {
        forceSSL = true;
        useACMEHost = "mta-sts.${hostName}";
        locations."/" = {
          root = pkgs.runCommand "create-well-known-mta-sts" {} ''
            mkdir -p "$out/.well-known"
            echo "
              version: STSv1
              mode: enforce
              max_age: 604800
              mx: mail.${hostName}
            " > "$out/.well-known/mta-sts.txt"
          '';
          tryFiles = "$uri $uri/ =404";
        };
      };
    }) {} [ "b12f.io" ];

  systemd.tmpfiles.rules = [
    "d '/run/maddy' 0750 maddy maddy - -"
  ];

  system.activationScripts.makeMaddyDKIMDNS = lib.stringAfter [ "var" ] ''
    mkdir -p /var/lib/maddy/dkim_keys

    echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns
    chown -R maddy:maddy /var/lib/maddy
  '';

  networking.firewall.allowedTCPPorts = [ 25 ];
  networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 465 587 993 ];

  services.maddy = {
    enable = true;
    openFirewall = false;
    hostname = "mail.b12f.io";
    primaryDomain = "b12f.io";
    localDomains = [
      "b12f.io"
      "mail.b12f.io"
    ];
    ensureAccounts = [
      "mail@b12f.io"
    ];
    ensureCredentials = {
      # Do not use this in production. This will make passwords world-readable
      # in the Nix store
      "mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path;
    };
    tls = {
      loader = "file";
      certificates = [
        {
          keyPath = "${config.security.acme.certs."mail.b12f.io".directory}/key.pem";
          certPath = "${config.security.acme.certs."mail.b12f.io".directory}/cert.pem";
        }
        {
          keyPath = "${config.security.acme.certs."b12f.io".directory}/key.pem";
          certPath = "${config.security.acme.certs."b12f.io".directory}/cert.pem";
        }
      ];
    };
    config = ''
      auth.pass_table local_authdb {
        table sql_table {
          driver sqlite3
          dsn credentials.db
          table_name passwords
        }
      }

      storage.imapsql local_mailboxes {
        driver sqlite3
        dsn imapsql.db
      }

      table.chain local_rewrites {
        optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
        optional_step static {
          entry postmaster postmaster@$(primary_domain)
        }
        optional_step file /etc/maddy/aliases
      }

      msgpipeline local_routing {
        check {
          rspamd {
            api_path http://localhost:11334
          }
        }

        modify {
          replace_rcpt &local_rewrites
        }

        # at this point rcpt was normalized to either:
        #       postmaster@$(primary_domain),
        #       local_mailbox_without_tag@$(local_domains),
        #       replacements with alias

        # destination_in block takes priority over destinations
        destination_in &local_mailboxes {
          deliver_to &local_mailboxes
        }

        # if rcpt is not in local_mailboxes, but has our domains,
        # replace rcpt to catchall and deliver it there
        destination $(local_domains) {
          modify {
            replace_rcpt regexp ".*" "mail@$(primary_domain)"
          }
          deliver_to &local_mailboxes
        }

        default_destination {
          reject 550 5.1.1 "User doesn't exist"
        }
      }

      smtp tcp://0.0.0.0:25 {
        limits {
          all rate 20 1s
          all concurrency 10
        }
        dmarc yes
        check {
          require_mx_record
          dkim
          spf
        }
        source $(local_domains) {
          reject 501 5.1.8 "Use Submission for outgoing SMTP"
        }
        default_source {
          destination postmaster $(local_domains) {
            deliver_to &local_routing
          }
          default_destination {
            reject 550 5.1.1 "User doesn't exist"
          }
        }
      }

      submission tls://10.13.12.7:465 tls://[fd00:b12f:acab:1312:acab:7::]:465 tcp://10.13.12.7:587 tcp://[fd00:b12f:acab:1312:acab:7::]:587 {
        limits {
          all rate 50 1s
        }
        auth &local_authdb
        source $(local_domains) {
          check {
              authorize_sender {
                  prepare_email &local_rewrites
                  user_to_email identity
              }
          }
          destination postmaster $(local_domains) {
              deliver_to &local_routing
          }
          default_destination {
              modify {
                  dkim $(primary_domain) $(local_domains) default
              }
              deliver_to &remote_queue
          }
        }
        default_source {
          reject 501 5.1.8 "Non-local sender domain"
        }
      }

      target.remote outbound_delivery {
        limits {
          destination rate 20 1s
          destination concurrency 10
        }
        mx_auth {
          dane
          mtasts {
            cache fs
            fs_dir mtasts_cache/
          }
          local_policy {
              min_tls_level encrypted
              min_mx_level none
          }
        }
      }

      target.queue remote_queue {
        target &outbound_delivery
        autogenerated_msg_domain $(primary_domain)
        bounce {
          destination postmaster $(local_domains) {
            deliver_to &local_routing
          }
          default_destination {
              reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
          }
        }
      }

      imap tls://10.13.12.7:993 tls://[fd00:b12f:acab:1312:acab:7::]:993 {
        auth &local_authdb
        storage &local_mailboxes
      }
    '';
  };

  services.rspamd = {
    enable = true;
    locals."dkim_signing.conf".text = ''
      enabled = false;
    '';
  };

  systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];

  age.secrets."rclone-pubsolar.conf" = {
    file = "${flake.self}/secrets/rclone-pubsolar.conf.age";
    mode = "400";
  };

  age.secrets."restic-password" = {
    file = "${flake.self}/secrets/restic-password.age";
    mode = "400";
  };

  services.restic.backups = {
    maddy = {
      paths = [ "/var/lib/maddy" ];
      initialize = true;
      passwordFile = config.age.secrets."restic-password".path;
      # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
      repository = "rclone:cloud.pub.solar:/backups/Maddy";
      rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
    };
  };
}