infra/modules/mail/default.nix

{ config, flake, ... }:

{
  age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age";
  age.secrets.mail-teutat3s.file = "${flake.self}/secrets/mail/teutat3s.age";
  age.secrets.mail-admins.file = "${flake.self}/secrets/mail/admins.age";
  age.secrets.mail-bot.file = "${flake.self}/secrets/mail/bot.age";
  age.secrets.mail-crew.file = "${flake.self}/secrets/mail/crew.age";
  age.secrets.mail-erpnext.file = "${flake.self}/secrets/mail/erpnext.age";
  age.secrets.mail-hakkonaut.file = "${flake.self}/secrets/mail/hakkonaut.age";

  mailserver = {
    enable = true;
    fqdn = "mail.pub.solar";
    domains = [ "pub.solar" ];

    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt'
    loginAccounts = {
      "hensoko@pub.solar" = {
        hashedPasswordFile = config.age.secrets.mail-hensoko.path;
        quota = "2G";
      };
      "teutat3s@pub.solar" = {
        hashedPasswordFile = config.age.secrets.mail-teutat3s.path;
        quota = "2G";
      };
      "admins@pub.solar" = {
        hashedPasswordFile = config.age.secrets.mail-admins.path;
        quota = "2G";
        aliases = [
          "abuse@pub.solar"
          "alerts@pub.solar"
          "forgejo@pub.solar"
          "keycloak@pub.solar"
          "mastodon-notifications@pub.solar"
          "matrix@pub.solar"
          "postmaster@pub.solar"
          "nextcloud@pub.solar"
          "no-reply@pub.solar"
          "security@pub.solar"
        ];
      };
      "bot@pub.solar" = {
        hashedPasswordFile = config.age.secrets.mail-bot.path;
        quota = "2G";
        aliases = [ "hackernews-bot@pub.solar" ];
      };
      "crew@pub.solar" = {
        hashedPasswordFile = config.age.secrets.mail-crew.path;
        quota = "2G";
        aliases = [ "moderation@pub.solar" ];
      };
      "erpnext@pub.solar" = {
        hashedPasswordFile = config.age.secrets.mail-erpnext.path;
        quota = "2G";
      };
      "hakkonaut@pub.solar" = {
        hashedPasswordFile = config.age.secrets.mail-hakkonaut.path;
        quota = "2G";
      };
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "acme-nginx";
  };
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "security@pub.solar";

  pub-solar-os.backups.restic.mail = {
    paths = [
      "/var/vmail"
      "/var/dkim"
    ];
    timerConfig = {
      OnCalendar = "*-*-* 02:00:00 Etc/UTC";
    };
    initialize = true;
    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 4"
      "--keep-monthly 3"
    ];
  };
}
initial work on mail 2024-05-22 19:49:34 +00:00			`{ config, flake, ... }:`

			`{`
			`age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age";`
mail: add more @pub.solar mail accounts 2024-05-25 15:24:42 +00:00			`age.secrets.mail-teutat3s.file = "${flake.self}/secrets/mail/teutat3s.age";`
			`age.secrets.mail-admins.file = "${flake.self}/secrets/mail/admins.age";`
			`age.secrets.mail-bot.file = "${flake.self}/secrets/mail/bot.age";`
			`age.secrets.mail-crew.file = "${flake.self}/secrets/mail/crew.age";`
			`age.secrets.mail-erpnext.file = "${flake.self}/secrets/mail/erpnext.age";`
			`age.secrets.mail-hakkonaut.file = "${flake.self}/secrets/mail/hakkonaut.age";`
initial work on mail 2024-05-22 19:49:34 +00:00
			`mailserver = {`
			`enable = true;`
mail: switch to mail.pub.solar 2024-05-27 15:51:02 +00:00			`fqdn = "mail.pub.solar";`
style: treefmt 2024-05-27 16:05:30 +00:00			`domains = [ "pub.solar" ];`
initial work on mail 2024-05-22 19:49:34 +00:00
			`# A list of all login accounts. To create the password hashes, use`
			`# nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt'`
			`loginAccounts = {`
			`"hensoko@pub.solar" = {`
			`hashedPasswordFile = config.age.secrets.mail-hensoko.path;`
mail: add more @pub.solar mail accounts 2024-05-25 15:24:42 +00:00			`quota = "2G";`
			`};`
mail: switch to mail.pub.solar 2024-05-27 15:51:02 +00:00			`"teutat3s@pub.solar" = {`
mail: add more @pub.solar mail accounts 2024-05-25 15:24:42 +00:00			`hashedPasswordFile = config.age.secrets.mail-teutat3s.path;`
			`quota = "2G";`
			`};`
			`"admins@pub.solar" = {`
			`hashedPasswordFile = config.age.secrets.mail-admins.path;`
			`quota = "2G";`
			`aliases = [`
			`"abuse@pub.solar"`
			`"alerts@pub.solar"`
			`"forgejo@pub.solar"`
			`"keycloak@pub.solar"`
			`"mastodon-notifications@pub.solar"`
			`"matrix@pub.solar"`
			`"postmaster@pub.solar"`
			`"nextcloud@pub.solar"`
			`"no-reply@pub.solar"`
			`"security@pub.solar"`
			`];`
			`};`
			`"bot@pub.solar" = {`
			`hashedPasswordFile = config.age.secrets.mail-bot.path;`
			`quota = "2G";`
			`aliases = [ "hackernews-bot@pub.solar" ];`
			`};`
			`"crew@pub.solar" = {`
			`hashedPasswordFile = config.age.secrets.mail-crew.path;`
			`quota = "2G";`
			`aliases = [ "moderation@pub.solar" ];`
			`};`
			`"erpnext@pub.solar" = {`
			`hashedPasswordFile = config.age.secrets.mail-erpnext.path;`
			`quota = "2G";`
			`};`
			`"hakkonaut@pub.solar" = {`
			`hashedPasswordFile = config.age.secrets.mail-hakkonaut.path;`
			`quota = "2G";`
initial work on mail 2024-05-22 19:49:34 +00:00			`};`
			`};`

			`# Use Let's Encrypt certificates. Note that this needs to set up a stripped`
			`# down nginx and opens port 80.`
			`certificateScheme = "acme-nginx";`
			`};`
			`security.acme.acceptTerms = true;`
			`security.acme.defaults.email = "security@pub.solar";`
mail: add backups to garage bucket + storagebox Restic backups to garage S3 bucket metronom-backups 2024-08-25 01:45:53 +00:00
			`pub-solar-os.backups.restic.mail = {`
			`paths = [`
			`"/var/vmail"`
			`"/var/dkim"`
			`];`
			`timerConfig = {`
			`OnCalendar = "--* 02:00:00 Etc/UTC";`
			`};`
			`initialize = true;`
			`pruneOpts = [`
			`"--keep-daily 7"`
			`"--keep-weekly 4"`
			`"--keep-monthly 3"`
			`];`
			`};`
initial work on mail 2024-05-22 19:49:34 +00:00			`}`