about summary refs log tree commit diff
path: root/configurations/manwe/mailserver.nix
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--configurations/manwe/mailserver.nix96
1 files changed, 96 insertions, 0 deletions
diff --git a/configurations/manwe/mailserver.nix b/configurations/manwe/mailserver.nix
new file mode 100644
index 0000000..60a917b
--- /dev/null
+++ b/configurations/manwe/mailserver.nix
@@ -0,0 +1,96 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; {
+  imports = [inputs.simple-nixos-mailserver.nixosModule];
+
+  config = {
+    secrets = {
+      dkim-key-azahi-cc = {
+        file = "${inputs.self}/secrets/dkim-key-azahi-cc";
+        path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key";
+        owner = "opendkim";
+        group = "opendkim";
+      };
+      dkim-key-rohan-net = {
+        file = "${inputs.self}/secrets/dkim-key-rohan-net";
+        path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key";
+        owner = "opendkim";
+        group = "opendkim";
+      };
+      dkim-key-gondor-net = {
+        file = "${inputs.self}/secrets/dkim-key-gondor-net";
+        path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key";
+        owner = "opendkim";
+        group = "opendkim";
+      };
+      dkim-key-shire-me = {
+        file = "${inputs.self}/secrets/dkim-key-shire-me";
+        path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key";
+        owner = "opendkim";
+        group = "opendkim";
+      };
+    };
+
+    nixfiles.modules.acme.enable = true;
+
+    mailserver = let
+      cert = config.certs.${my.domain.shire};
+    in {
+      enable = true;
+
+      fqdn = config.networking.domain;
+      domains = with my.domain; [azahi gondor rohan shire];
+
+      localDnsResolver = false;
+
+      certificateScheme = 1;
+      certificateFile = "${cert.directory}/fullchain.pem";
+      keyFile = "${cert.directory}/key.pem";
+
+      lmtpSaveToDetailMailbox = "no";
+
+      loginAccounts = with my.domain; {
+        "azahi@${shire}" = {
+          hashedPassword = "[REDACTED]";
+          aliases = [
+            "@${azahi}"
+            "@${rohan}"
+            "@${gondor}"
+            "abuse@${shire}"
+            "admin@${shire}"
+            "ceo@${shire}"
+            "postmaster@${shire}"
+          ];
+        };
+        "samwise@${shire}" = {
+          hashedPassword = "[REDACTED]";
+          aliases = ["chad@${shire}"];
+          quota = "1G";
+        };
+        "pippin@${shire}" = {
+          hashedPassword = "[REDACTED]";
+          quota = "1G";
+        };
+        "meriadoc@${shire}" = {
+          hashedPassword = "[REDACTED]";
+          quota = "1G";
+        };
+      };
+    };
+
+    services.fail2ban.jails = {
+      dovecot = ''
+        enabled = true
+        mode = aggressive
+      '';
+      postfix = ''
+        enabled = true
+        mode = aggressive
+      '';
+    };
+  };
+}

Consider giving Nix/NixOS a try! <3