about summary refs log tree commit diff
path: root/configurations/manwe/mailserver/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'configurations/manwe/mailserver/default.nix')
-rw-r--r--configurations/manwe/mailserver/default.nix113
1 files changed, 113 insertions, 0 deletions
diff --git a/configurations/manwe/mailserver/default.nix b/configurations/manwe/mailserver/default.nix
new file mode 100644
index 0000000..cc8b41d
--- /dev/null
+++ b/configurations/manwe/mailserver/default.nix
@@ -0,0 +1,113 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib;
+{
+  imports = [ inputs.mailserver.nixosModule ] ++ attrValues (modulesIn ./.);
+
+  ark.directories = with config.mailserver; [
+    "/var/lib/dovecot"
+    "/var/lib/postfix"
+    config.security.dhparams.params.dovecot2.path
+    dkimKeyDirectory
+    mailDirectory
+    sieveDirectory
+  ];
+
+  secrets = with config.mailserver; {
+    dkim-key-azahi-cc = {
+      file = "${inputs.self}/secrets/dkim-key-azahi-cc";
+      path = "${dkimKeyDirectory}/${my.domain.azahi}.${dkimSelector}.key";
+      owner = config.services.opendkim.user;
+      inherit (config.services.opendkim) group;
+    };
+    dkim-key-rohan-net = {
+      file = "${inputs.self}/secrets/dkim-key-rohan-net";
+      path = "${dkimKeyDirectory}/${my.domain.rohan}.${dkimSelector}.key";
+      owner = config.services.opendkim.user;
+      inherit (config.services.opendkim) group;
+    };
+    dkim-key-gondor-net = {
+      file = "${inputs.self}/secrets/dkim-key-gondor-net";
+      path = "${dkimKeyDirectory}/${my.domain.gondor}.${dkimSelector}.key";
+      owner = config.services.opendkim.user;
+      inherit (config.services.opendkim) group;
+    };
+    dkim-key-shire-net = {
+      file = "${inputs.self}/secrets/dkim-key-shire-net";
+      path = "${dkimKeyDirectory}/${my.domain.shire}.${dkimSelector}.key";
+      owner = config.services.opendkim.user;
+      inherit (config.services.opendkim) group;
+    };
+  };
+
+  nixfiles.modules = {
+    acme.enable = true;
+    redis.enable = true;
+  };
+
+  mailserver =
+    let
+      cert = config.certs.${my.domain.shire};
+    in
+    {
+      enable = true;
+
+      # Disable potentially insecure[1] STARTTLS connections. SSL-only connections
+      # are still enabled by default.
+      #
+      # [1]: https://www.rfc-editor.org/rfc/rfc3207#section-6
+      enableImap = false;
+      enablePop3 = false;
+      enableSubmission = false;
+
+      fqdn = config.networking.domain;
+      domains = with my.domain; [
+        azahi
+        gondor
+        rohan
+        shire
+      ];
+
+      localDnsResolver = false;
+
+      certificateScheme = "manual";
+      certificateFile = "${cert.directory}/fullchain.pem";
+      keyFile = "${cert.directory}/key.pem";
+
+      lmtpSaveToDetailMailbox = "no";
+
+      redis = with config.services.redis.servers.default; {
+        address = bind;
+        inherit port;
+        password = requirePass;
+      };
+    };
+
+  services = {
+    fail2ban.jails = {
+      dovecot = {
+        enabled = true;
+        settings.mode = "aggressive";
+      };
+      postfix = {
+        enabled = true;
+        settings.mode = "aggressive";
+      };
+    };
+
+    # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/275#note_1746383655
+    dovecot2.sieve.extensions = [ "fileinto" ];
+
+    # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/241
+    redis.servers.rspamd.enable = mkForce false;
+  };
+
+  systemd.services.rspamd = {
+    requires = mkForce [ "redis-default.service" ];
+    after = mkForce [ "redis-default.service" ];
+  };
+}

Consider giving Nix/NixOS a try! <3