about summary refs log tree commit diff
path: root/nixosConfigurations/manwe/mailserver
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2023-09-20 15:26:47 +0300
committerAzat Bahawi <azat@bahawi.net>2023-09-20 15:26:47 +0300
commit837fc97b30a41d766dd53a2370f6cb1d26364f9a (patch)
tree63ae83af789930c9a2035b9f9e43fbee166ab27b /nixosConfigurations/manwe/mailserver
parent2023-09-16 (diff)
2023-09-20
Diffstat (limited to 'nixosConfigurations/manwe/mailserver')
-rw-r--r--nixosConfigurations/manwe/mailserver/default.nix96
1 files changed, 96 insertions, 0 deletions
diff --git a/nixosConfigurations/manwe/mailserver/default.nix b/nixosConfigurations/manwe/mailserver/default.nix
new file mode 100644
index 0000000..4f58df7
--- /dev/null
+++ b/nixosConfigurations/manwe/mailserver/default.nix
@@ -0,0 +1,96 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; {
+  imports = [inputs.simple-nixos-mailserver.nixosModule];
+
+  # Redis?
+  ark.directories = with config.mailserver; [
+    "/var/lib/dovecot"
+    "/var/lib/postfix"
+    config.security.dhparams.params.dovecot2.path
+    dkimKeyDirectory
+    mailDirectory
+    sieveDirectory
+  ];
+
+  secrets = with config.mailserver; {
+    dkim-key-azahi-cc = {
+      file = "${inputs.self}/secrets/dkim-key-azahi-cc";
+      path = "${dkimKeyDirectory}/${my.domain.azahi}.${dkimSelector}.key";
+      owner = config.services.opendkim.user;
+      inherit (config.services.opendkim) group;
+    };
+    dkim-key-rohan-net = {
+      file = "${inputs.self}/secrets/dkim-key-rohan-net";
+      path = "${dkimKeyDirectory}/${my.domain.rohan}.${dkimSelector}.key";
+      owner = config.services.opendkim.user;
+      inherit (config.services.opendkim) group;
+    };
+    dkim-key-gondor-net = {
+      file = "${inputs.self}/secrets/dkim-key-gondor-net";
+      path = "${dkimKeyDirectory}/${my.domain.gondor}.${dkimSelector}.key";
+      owner = config.services.opendkim.user;
+      inherit (config.services.opendkim) group;
+    };
+    dkim-key-shire-net = {
+      file = "${inputs.self}/secrets/dkim-key-shire-net";
+      path = "${dkimKeyDirectory}/${my.domain.shire}.${dkimSelector}.key";
+      owner = config.services.opendkim.user;
+      inherit (config.services.opendkim) group;
+    };
+  };
+
+  nixfiles.modules = {
+    acme.enable = true;
+    redis.enable = true;
+  };
+
+  mailserver = let
+    cert = config.certs.${my.domain.shire};
+  in {
+    enable = true;
+
+    fqdn = config.networking.domain;
+    domains = with my.domain; [azahi gondor rohan shire];
+
+    localDnsResolver = false;
+
+    certificateScheme = "manual";
+    certificateFile = "${cert.directory}/fullchain.pem";
+    keyFile = "${cert.directory}/key.pem";
+
+    lmtpSaveToDetailMailbox = "no";
+
+    redis = with config.services.redis.servers.default; {
+      address = bind;
+      inherit port;
+      password = requirePass;
+    };
+
+    # Just a list of accounts with aliases and hasedPasswords. Not necessarily
+    # secret, but kept from prying eyes.
+    loginAccounts = import ./accounts.nix lib;
+  };
+
+  # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/241
+  services.redis.servers.rspamd.enable = mkForce false;
+  systemd.services.rspamd = {
+    requires = mkForce ["redis-default.service"];
+    after = mkForce ["redis-default.service"];
+  };
+
+  services.fail2ban.jails = {
+    dovecot = {
+      enabled = true;
+      settings.mode = "aggressive";
+    };
+    postfix = {
+      enabled = true;
+      settings.mode = "aggressive";
+    };
+  };
+}

Consider giving Nix/NixOS a try! <3