From 8f137c28230623259a964484adcf31fe00756594 Mon Sep 17 00:00:00 2001
From: Azat Bahawi <azat@bahawi.net>
Date: Sat, 17 Dec 2022 16:39:09 +0300
Subject: 2022-12-17

---
 nixosConfigurations/manwe/mailserver.nix | 94 ++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)
 create mode 100644 nixosConfigurations/manwe/mailserver.nix

(limited to 'nixosConfigurations/manwe/mailserver.nix')

diff --git a/nixosConfigurations/manwe/mailserver.nix b/nixosConfigurations/manwe/mailserver.nix
new file mode 100644
index 0000000..a4b552a
--- /dev/null
+++ b/nixosConfigurations/manwe/mailserver.nix
@@ -0,0 +1,94 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; {
+  imports = [inputs.simple-nixos-mailserver.nixosModule];
+
+  secrets = {
+    dkim-key-azahi-cc = {
+      file = "${inputs.self}/secrets/dkim-key-azahi-cc";
+      path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key";
+      owner = "opendkim";
+      group = "opendkim";
+    };
+    dkim-key-rohan-net = {
+      file = "${inputs.self}/secrets/dkim-key-rohan-net";
+      path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key";
+      owner = "opendkim";
+      group = "opendkim";
+    };
+    dkim-key-gondor-net = {
+      file = "${inputs.self}/secrets/dkim-key-gondor-net";
+      path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key";
+      owner = "opendkim";
+      group = "opendkim";
+    };
+    dkim-key-shire-me = {
+      file = "${inputs.self}/secrets/dkim-key-shire-me";
+      path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key";
+      owner = "opendkim";
+      group = "opendkim";
+    };
+  };
+
+  nixfiles.modules.acme.enable = true;
+
+  mailserver = let
+    cert = config.certs.${my.domain.shire};
+  in {
+    enable = true;
+
+    fqdn = config.networking.domain;
+    domains = with my.domain; [azahi gondor rohan shire];
+
+    localDnsResolver = false;
+
+    certificateScheme = 1;
+    certificateFile = "${cert.directory}/fullchain.pem";
+    keyFile = "${cert.directory}/key.pem";
+
+    lmtpSaveToDetailMailbox = "no";
+
+    loginAccounts = with my.domain; {
+      "azahi@${shire}" = {
+        hashedPassword = "@HASHED_PASSWORD@";
+        aliases = [
+          "@${azahi}"
+          "@${rohan}"
+          "@${gondor}"
+          "abuse@${shire}"
+          "admin@${shire}"
+          "ceo@${shire}"
+          "postmaster@${shire}"
+        ];
+      };
+      "samwise@${shire}" = {
+        hashedPassword = "@HASHED_PASSWORD@";
+        aliases = ["chad@${shire}"];
+        quota = "1G";
+      };
+      "pippin@${shire}" = {
+        hashedPassword = "@HASHED_PASSWORD@";
+        quota = "1G";
+      };
+      "meriadoc@${shire}" = {
+        hashedPassword = "@HASHED_PASSWORD@";
+        quota = "1G";
+      };
+    };
+  };
+
+  services.fail2ban.jails = {
+    dovecot = ''
+      enabled = true
+      mode = aggressive
+    '';
+    postfix = ''
+      enabled = true
+      mode = aggressive
+    '';
+  };
+}
-- 
cgit v1.2.3