about summary refs log tree commit diff
path: root/configurations/manwe/mailserver.nix
blob: 60a917bfdf10502519fda895b9b2ff8193cf0803 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
{
  config,
  inputs,
  lib,
  ...
}:
with lib; {
  imports = [inputs.simple-nixos-mailserver.nixosModule];

  config = {
    secrets = {
      dkim-key-azahi-cc = {
        file = "${inputs.self}/secrets/dkim-key-azahi-cc";
        path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key";
        owner = "opendkim";
        group = "opendkim";
      };
      dkim-key-rohan-net = {
        file = "${inputs.self}/secrets/dkim-key-rohan-net";
        path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key";
        owner = "opendkim";
        group = "opendkim";
      };
      dkim-key-gondor-net = {
        file = "${inputs.self}/secrets/dkim-key-gondor-net";
        path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key";
        owner = "opendkim";
        group = "opendkim";
      };
      dkim-key-shire-me = {
        file = "${inputs.self}/secrets/dkim-key-shire-me";
        path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key";
        owner = "opendkim";
        group = "opendkim";
      };
    };

    nixfiles.modules.acme.enable = true;

    mailserver = let
      cert = config.certs.${my.domain.shire};
    in {
      enable = true;

      fqdn = config.networking.domain;
      domains = with my.domain; [azahi gondor rohan shire];

      localDnsResolver = false;

      certificateScheme = 1;
      certificateFile = "${cert.directory}/fullchain.pem";
      keyFile = "${cert.directory}/key.pem";

      lmtpSaveToDetailMailbox = "no";

      loginAccounts = with my.domain; {
        "azahi@${shire}" = {
          hashedPassword = "[REDACTED]";
          aliases = [
            "@${azahi}"
            "@${rohan}"
            "@${gondor}"
            "abuse@${shire}"
            "admin@${shire}"
            "ceo@${shire}"
            "postmaster@${shire}"
          ];
        };
        "samwise@${shire}" = {
          hashedPassword = "[REDACTED]";
          aliases = ["chad@${shire}"];
          quota = "1G";
        };
        "pippin@${shire}" = {
          hashedPassword = "[REDACTED]";
          quota = "1G";
        };
        "meriadoc@${shire}" = {
          hashedPassword = "[REDACTED]";
          quota = "1G";
        };
      };
    };

    services.fail2ban.jails = {
      dovecot = ''
        enabled = true
        mode = aggressive
      '';
      postfix = ''
        enabled = true
        mode = aggressive
      '';
    };
  };
}

Consider giving Nix/NixOS a try! <3