blob: a02e8ad1de2ef766e156ccc31bd6e78d6d36dd19 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
{
config,
inputs,
lib,
...
}:
{
imports = [ inputs.mailserver.nixosModule ] ++ (lib.modulesIn ./. |> lib.attrValues);
ark.directories = with config.mailserver; [
"/var/lib/dovecot"
"/var/lib/postfix"
config.security.dhparams.params.dovecot2.path
dkimKeyDirectory
mailDirectory
sieveDirectory
];
secrets = with config.mailserver; {
dkim-key-azahi-cc = {
file = "${inputs.self}/secrets/dkim-key-azahi-cc";
path = "${dkimKeyDirectory}/${lib.my.domain.azahi}.${dkimSelector}.key";
owner = config.services.opendkim.user;
inherit (config.services.opendkim) group;
};
dkim-key-rohan-net = {
file = "${inputs.self}/secrets/dkim-key-rohan-net";
path = "${dkimKeyDirectory}/${lib.my.domain.rohan}.${dkimSelector}.key";
owner = config.services.opendkim.user;
inherit (config.services.opendkim) group;
};
dkim-key-gondor-net = {
file = "${inputs.self}/secrets/dkim-key-gondor-net";
path = "${dkimKeyDirectory}/${lib.my.domain.gondor}.${dkimSelector}.key";
owner = config.services.opendkim.user;
inherit (config.services.opendkim) group;
};
dkim-key-shire-net = {
file = "${inputs.self}/secrets/dkim-key-shire-net";
path = "${dkimKeyDirectory}/${lib.my.domain.shire}.${dkimSelector}.key";
owner = config.services.opendkim.user;
inherit (config.services.opendkim) group;
};
};
nixfiles.modules = {
acme.enable = true;
redis.enable = true;
};
mailserver =
let
cert = config.certs.${lib.my.domain.shire};
in
{
enable = true;
# Disable potentially insecure[1] STARTTLS connections. SSL-only connections
# are still enabled by default.
#
# [1]: https://www.rfc-editor.org/rfc/rfc3207#section-6
enableImap = false;
enablePop3 = false;
enableSubmission = false;
fqdn = config.networking.domain;
domains = with lib.my.domain; [
azahi
gondor
rohan
shire
];
localDnsResolver = false;
certificateScheme = "manual";
certificateFile = "${cert.directory}/fullchain.pem";
keyFile = "${cert.directory}/key.pem";
lmtpSaveToDetailMailbox = "no";
redis = with config.services.redis.servers.default; {
address = bind;
inherit port;
password = requirePass;
};
};
services = {
fail2ban.jails = {
dovecot = {
enabled = true;
settings.mode = "aggressive";
};
postfix = {
enabled = true;
settings.mode = "aggressive";
};
};
# https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/241
redis.servers.rspamd.enable = lib.mkForce false;
prometheus.exporters.postfix = {
enable = true;
listenAddress = "127.0.0.1";
port = 9154;
};
};
environment.etc."alloy/postfix.alloy".text = with config.services.prometheus.exporters.postfix; ''
prometheus.scrape "postfix" {
targets = [
{
__address__ = "${listenAddress}:${toString port}",
instance = "${config.networking.hostName}",
},
]
forward_to = [prometheus.relabel.default.receiver]
}
'';
systemd.services.rspamd = {
requires = lib.mkForce [ "redis-default.service" ];
after = lib.mkForce [ "redis-default.service" ];
};
}
|
