339 lines
10 KiB
Nix
339 lines
10 KiB
Nix
{
|
|
flake,
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: let
|
|
hzDomain = lib.concatStrings ["hw" "dz" "z." "net"];
|
|
dkimDNSb12fio = ''
|
|
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
|
|
'';
|
|
dkimDNSmezzabiz = ''
|
|
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8iuDq0eon2k7QlBJWGxwDiEv53iJQu2uqxOjr7Ul/nfQjuR6kVKs6oOVopnyFTGRpffrpSHHW1YUN5nF76p0fJphk4l+QmJP36/xweajsNU27PAkb88xG6yRKl28MCfPdMR96+Jobpei8S0UhqcskYs1aZybm7ci9ZuAMidziwIDAQAB" ) ;
|
|
'';
|
|
dkimDNShzDomain = ''
|
|
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvVA2XZno6g6qBdmxoLgX2Qmd883M6yV4YkE/VaNH6xcR0AcTo4hEYoAOPryfKn4FE/TYvyk/k2cyBKpMBn2qbVhwUavYQh/e9bweS2FKQvdzCUUoqXk04o2MqSXb2ZFwkUCtfrPcckBgpF754PDL4HMZGPnkMSdDX7bmYe37CWQIDAQAB") ;
|
|
'';
|
|
in {
|
|
age.secrets."b12f.io-dkim-private-rsa" = {
|
|
file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age";
|
|
path = "/var/lib/maddy/dkim_keys/b12f.io_default.key";
|
|
mode = "400";
|
|
owner = "maddy";
|
|
};
|
|
|
|
age.secrets."mail@b12f.io-password" = {
|
|
file = "${flake.self}/secrets/mail@b12f.io-password.age";
|
|
mode = "400";
|
|
owner = "maddy";
|
|
};
|
|
|
|
age.secrets."mezza.biz-dkim-private-rsa" = {
|
|
file = "${flake.self}/secrets/mezza.biz-dkim-private-rsa.age";
|
|
path = "/var/lib/maddy/dkim_keys/mezza.biz_default.key";
|
|
mode = "400";
|
|
owner = "maddy";
|
|
};
|
|
|
|
age.secrets."mail@mezza.biz-password" = {
|
|
file = "${flake.self}/secrets/mail@mezza.biz-password.age";
|
|
mode = "400";
|
|
owner = "maddy";
|
|
};
|
|
|
|
age.secrets."hzdomain-dkim-private-rsa" = {
|
|
file = "${flake.self}/secrets/hzdomain-dkim-private-rsa.age";
|
|
path = "/var/lib/maddy/dkim_keys/hzdomain_default.key";
|
|
mode = "400";
|
|
owner = "maddy";
|
|
};
|
|
|
|
age.secrets."mail@hzdomain-password" = {
|
|
file = "${flake.self}/secrets/mail@hzdomain-password.age";
|
|
mode = "400";
|
|
owner = "maddy";
|
|
};
|
|
|
|
users.users.maddy.extraGroups = ["nginx"];
|
|
|
|
security.acme.certs = {
|
|
"mail.b12f.io".reloadServices = ["maddy"];
|
|
"b12f.io".reloadServices = ["maddy"];
|
|
"mta-sts.b12f.io" = {};
|
|
"mail.mezza.biz".reloadServices = ["maddy"];
|
|
"mezza.biz".reloadServices = ["maddy"];
|
|
"mta-sts.mezza.biz" = {};
|
|
"mail.${hzDomain}".reloadServices = ["maddy"];
|
|
"${hzDomain}".reloadServices = ["maddy"];
|
|
"mta-sts.${hzDomain}" = {};
|
|
};
|
|
|
|
services.nginx.virtualHosts = builtins.foldl' (hosts: hostName:
|
|
hosts
|
|
// {
|
|
"mta-sts.${hostName}" = {
|
|
forceSSL = true;
|
|
useACMEHost = "mta-sts.${hostName}";
|
|
locations."/" = {
|
|
root = pkgs.runCommand "create-well-known-mta-sts" {} ''
|
|
mkdir -p "$out/.well-known"
|
|
echo "
|
|
version: STSv1
|
|
mode: enforce
|
|
max_age: 604800
|
|
mx: mail.${hostName}
|
|
" > "$out/.well-known/mta-sts.txt"
|
|
'';
|
|
tryFiles = "$uri $uri/ =404";
|
|
};
|
|
};
|
|
}) {} ["b12f.io" "mezza.biz" hzDomain];
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d '/run/maddy' 0750 maddy maddy - -"
|
|
];
|
|
|
|
system.activationScripts.makeMaddyDKIMDNS = lib.stringAfter ["var"] ''
|
|
mkdir -p /var/lib/maddy/dkim_keys
|
|
|
|
echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns
|
|
echo '${dkimDNSmezzabiz}' >> /var/lib/maddy/dkim_keys/mezza.biz_default.dns
|
|
echo '${dkimDNShzDomain}' >> /var/lib/maddy/dkim_keys/${hzDomain}_default.dns
|
|
chown -R maddy:maddy /var/lib/maddy
|
|
'';
|
|
|
|
networking.firewall.allowedTCPPorts = [25];
|
|
networking.firewall.interfaces.wg-private.allowedTCPPorts = [465 587 993];
|
|
|
|
services.maddy = {
|
|
enable = true;
|
|
openFirewall = false;
|
|
hostname = "mail.b12f.io";
|
|
primaryDomain = "b12f.io";
|
|
localDomains = [
|
|
"b12f.io"
|
|
"mail.b12f.io"
|
|
"mezza.biz"
|
|
"mail.mezza.biz"
|
|
hzDomain
|
|
"mail.${hzDomain}"
|
|
];
|
|
ensureAccounts = [
|
|
"mail@b12f.io"
|
|
"mail@mezza.biz"
|
|
"mail@${hzDomain}"
|
|
];
|
|
ensureCredentials = {
|
|
# Do not use this in production. This will make passwords world-readable
|
|
# in the Nix store
|
|
"mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path;
|
|
"mail@mezza.biz".passwordFile = config.age.secrets."mail@mezza.biz-password".path;
|
|
"mail@${hzDomain}".passwordFile = config.age.secrets."mail@hzdomain-password".path;
|
|
};
|
|
tls = {
|
|
loader = "file";
|
|
certificates = [
|
|
{
|
|
keyPath = "${config.security.acme.certs."mail.b12f.io".directory}/key.pem";
|
|
certPath = "${config.security.acme.certs."mail.b12f.io".directory}/cert.pem";
|
|
}
|
|
{
|
|
keyPath = "${config.security.acme.certs."b12f.io".directory}/key.pem";
|
|
certPath = "${config.security.acme.certs."b12f.io".directory}/cert.pem";
|
|
}
|
|
{
|
|
keyPath = "${config.security.acme.certs."mail.mezza.biz".directory}/key.pem";
|
|
certPath = "${config.security.acme.certs."mail.mezza.biz".directory}/cert.pem";
|
|
}
|
|
{
|
|
keyPath = "${config.security.acme.certs."mezza.biz".directory}/key.pem";
|
|
certPath = "${config.security.acme.certs."mezza.biz".directory}/cert.pem";
|
|
}
|
|
{
|
|
keyPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/key.pem";
|
|
certPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/cert.pem";
|
|
}
|
|
{
|
|
keyPath = "${config.security.acme.certs."${hzDomain}".directory}/key.pem";
|
|
certPath = "${config.security.acme.certs."${hzDomain}".directory}/cert.pem";
|
|
}
|
|
];
|
|
};
|
|
config = ''
|
|
auth.pass_table local_authdb {
|
|
table sql_table {
|
|
driver sqlite3
|
|
dsn credentials.db
|
|
table_name passwords
|
|
}
|
|
}
|
|
|
|
storage.imapsql local_mailboxes {
|
|
driver sqlite3
|
|
dsn imapsql.db
|
|
}
|
|
|
|
table.chain local_rewrites {
|
|
optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
|
|
optional_step static {
|
|
entry postmaster postmaster@$(primary_domain)
|
|
}
|
|
optional_step file /etc/maddy/aliases
|
|
}
|
|
|
|
msgpipeline local_routing {
|
|
check {
|
|
rspamd {
|
|
api_path http://localhost:11334
|
|
}
|
|
}
|
|
|
|
modify {
|
|
replace_rcpt &local_rewrites
|
|
}
|
|
|
|
# at this point rcpt was normalized to either:
|
|
# postmaster@$(primary_domain),
|
|
# local_mailbox_without_tag@$(local_domains),
|
|
# replacements with alias
|
|
|
|
# destination_in block takes priority over destinations
|
|
destination_in &local_mailboxes {
|
|
deliver_to &local_mailboxes
|
|
}
|
|
|
|
# if rcpt is not in local_mailboxes, but has our domains,
|
|
# replace rcpt to catchall and deliver it there
|
|
destination $(local_domains) {
|
|
modify {
|
|
replace_rcpt regexp ".*" "mail@$(primary_domain)"
|
|
}
|
|
deliver_to &local_mailboxes
|
|
}
|
|
|
|
default_destination {
|
|
reject 550 5.1.1 "User doesn't exist"
|
|
}
|
|
}
|
|
|
|
smtp tcp://0.0.0.0:25 {
|
|
limits {
|
|
all rate 20 1s
|
|
all concurrency 10
|
|
}
|
|
dmarc yes
|
|
check {
|
|
require_mx_record
|
|
dkim
|
|
spf
|
|
}
|
|
source $(local_domains) {
|
|
reject 501 5.1.8 "Use Submission for outgoing SMTP"
|
|
}
|
|
default_source {
|
|
destination postmaster $(local_domains) {
|
|
deliver_to &local_routing
|
|
}
|
|
default_destination {
|
|
reject 550 5.1.1 "User doesn't exist"
|
|
}
|
|
}
|
|
}
|
|
|
|
submission tls://10.13.12.7:465 tls://[fd00:b12f:acab:1312:acab:7::]:465 tcp://10.13.12.7:587 tcp://[fd00:b12f:acab:1312:acab:7::]:587 {
|
|
limits {
|
|
all rate 50 1s
|
|
}
|
|
auth &local_authdb
|
|
source $(local_domains) {
|
|
check {
|
|
authorize_sender {
|
|
prepare_email &local_rewrites
|
|
user_to_email identity
|
|
}
|
|
}
|
|
destination postmaster $(local_domains) {
|
|
deliver_to &local_routing
|
|
}
|
|
default_destination {
|
|
modify {
|
|
dkim $(primary_domain) $(local_domains) default
|
|
}
|
|
deliver_to &remote_queue
|
|
}
|
|
}
|
|
default_source {
|
|
reject 501 5.1.8 "Non-local sender domain"
|
|
}
|
|
}
|
|
|
|
target.remote outbound_delivery {
|
|
limits {
|
|
destination rate 20 1s
|
|
destination concurrency 10
|
|
}
|
|
mx_auth {
|
|
dane
|
|
mtasts {
|
|
cache fs
|
|
fs_dir mtasts_cache/
|
|
}
|
|
local_policy {
|
|
min_tls_level encrypted
|
|
min_mx_level none
|
|
}
|
|
}
|
|
}
|
|
|
|
target.queue remote_queue {
|
|
target &outbound_delivery
|
|
autogenerated_msg_domain $(primary_domain)
|
|
bounce {
|
|
destination postmaster $(local_domains) {
|
|
deliver_to &local_routing
|
|
}
|
|
default_destination {
|
|
reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
|
|
}
|
|
}
|
|
}
|
|
|
|
imap tls://10.13.12.7:993 tls://[fd00:b12f:acab:1312:acab:7::]:993 {
|
|
auth &local_authdb
|
|
storage &local_mailboxes
|
|
}
|
|
'';
|
|
};
|
|
|
|
services.rspamd = {
|
|
enable = true;
|
|
locals."dkim_signing.conf".text = ''
|
|
enabled = false;
|
|
'';
|
|
};
|
|
|
|
systemd.services.rspamd.serviceConfig.SupplementaryGroups = ["maddy"];
|
|
|
|
age.secrets."rclone-pubsolar.conf" = {
|
|
file = "${flake.self}/secrets/rclone-pubsolar.conf.age";
|
|
mode = "400";
|
|
};
|
|
|
|
age.secrets."restic-password" = {
|
|
file = "${flake.self}/secrets/restic-password.age";
|
|
mode = "400";
|
|
};
|
|
|
|
services.restic.backups = {
|
|
maddy = {
|
|
paths = ["/var/lib/maddy"];
|
|
initialize = true;
|
|
passwordFile = config.age.secrets."restic-password".path;
|
|
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
|
|
repository = "rclone:cloud.pub.solar:/backups/Maddy";
|
|
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
|
|
};
|
|
};
|
|
}
|