diff options
Diffstat (limited to 'nixosConfigurations/manwe/mailserver/default.nix')
| -rw-r--r-- | nixosConfigurations/manwe/mailserver/default.nix | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/nixosConfigurations/manwe/mailserver/default.nix b/nixosConfigurations/manwe/mailserver/default.nix new file mode 100644 index 0000000..4f58df7 --- /dev/null +++ b/nixosConfigurations/manwe/mailserver/default.nix @@ -0,0 +1,96 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; { + imports = [inputs.simple-nixos-mailserver.nixosModule]; + + # Redis? + ark.directories = with config.mailserver; [ + "/var/lib/dovecot" + "/var/lib/postfix" + config.security.dhparams.params.dovecot2.path + dkimKeyDirectory + mailDirectory + sieveDirectory + ]; + + secrets = with config.mailserver; { + dkim-key-azahi-cc = { + file = "${inputs.self}/secrets/dkim-key-azahi-cc"; + path = "${dkimKeyDirectory}/${my.domain.azahi}.${dkimSelector}.key"; + owner = config.services.opendkim.user; + inherit (config.services.opendkim) group; + }; + dkim-key-rohan-net = { + file = "${inputs.self}/secrets/dkim-key-rohan-net"; + path = "${dkimKeyDirectory}/${my.domain.rohan}.${dkimSelector}.key"; + owner = config.services.opendkim.user; + inherit (config.services.opendkim) group; + }; + dkim-key-gondor-net = { + file = "${inputs.self}/secrets/dkim-key-gondor-net"; + path = "${dkimKeyDirectory}/${my.domain.gondor}.${dkimSelector}.key"; + owner = config.services.opendkim.user; + inherit (config.services.opendkim) group; + }; + dkim-key-shire-net = { + file = "${inputs.self}/secrets/dkim-key-shire-net"; + path = "${dkimKeyDirectory}/${my.domain.shire}.${dkimSelector}.key"; + owner = config.services.opendkim.user; + inherit (config.services.opendkim) group; + }; + }; + + nixfiles.modules = { + acme.enable = true; + redis.enable = true; + }; + + mailserver = let + cert = config.certs.${my.domain.shire}; + in { + enable = true; + + fqdn = config.networking.domain; + domains = with my.domain; [azahi gondor rohan shire]; + + localDnsResolver = false; + + certificateScheme = "manual"; + certificateFile = "${cert.directory}/fullchain.pem"; + keyFile = "${cert.directory}/key.pem"; + + lmtpSaveToDetailMailbox = "no"; + + redis = with config.services.redis.servers.default; { + address = bind; + inherit port; + password = requirePass; + }; + + # Just a list of accounts with aliases and hasedPasswords. Not necessarily + # secret, but kept from prying eyes. + loginAccounts = import ./accounts.nix lib; + }; + + # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/241 + services.redis.servers.rspamd.enable = mkForce false; + systemd.services.rspamd = { + requires = mkForce ["redis-default.service"]; + after = mkForce ["redis-default.service"]; + }; + + services.fail2ban.jails = { + dovecot = { + enabled = true; + settings.mode = "aggressive"; + }; + postfix = { + enabled = true; + settings.mode = "aggressive"; + }; + }; +} |