about summary refs log tree commit diff
path: root/nixosConfigurations/manwe/mailserver.nix
blob: b59f0a8b7d7d32b1a48c53366e000afd194fb18c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
{
  config,
  inputs,
  lib,
  ...
}:
with lib; {
  imports = [inputs.simple-nixos-mailserver.nixosModule];

  nixfiles.modules.redis.enable = true;

  secrets = {
    dkim-key-azahi-cc = {
      file = "${inputs.self}/secrets/dkim-key-azahi-cc";
      path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key";
      owner = "opendkim";
      group = "opendkim";
    };
    dkim-key-rohan-net = {
      file = "${inputs.self}/secrets/dkim-key-rohan-net";
      path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key";
      owner = "opendkim";
      group = "opendkim";
    };
    dkim-key-gondor-net = {
      file = "${inputs.self}/secrets/dkim-key-gondor-net";
      path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key";
      owner = "opendkim";
      group = "opendkim";
    };
    dkim-key-shire-net = {
      file = "${inputs.self}/secrets/dkim-key-shire-net";
      path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key";
      owner = "opendkim";
      group = "opendkim";
    };
  };

  nixfiles.modules.acme.enable = true;

  mailserver = let
    cert = config.certs.${my.domain.shire};
  in {
    enable = true;

    fqdn = config.networking.domain;
    domains = with my.domain; [azahi gondor rohan shire];

    localDnsResolver = false;

    certificateScheme = 1;
    certificateFile = "${cert.directory}/fullchain.pem";
    keyFile = "${cert.directory}/key.pem";

    lmtpSaveToDetailMailbox = "no";

    redis = with config.services.redis.servers.default; {
      address = bind;
      inherit port;
      password = requirePass;
    };

    loginAccounts = with my.domain; {
      "azahi@${shire}" = {
        hashedPassword = "@HASHED_PASSWORD@";
        aliases = [
          "@${azahi}"
          "@${rohan}"
          "@${gondor}"
          "abuse@${shire}"
          "admin@${shire}"
          "ceo@${shire}"
          "postmaster@${shire}"
          "root@${shire}"
        ];
      };
      "samwise@${shire}" = {
        hashedPassword = "@HASHED_PASSWORD@";
        aliases = ["chad@${shire}"];
        quota = "1G";
      };
    };
  };

  services.fail2ban.jails = {
    dovecot = ''
      enabled = true
      mode = aggressive
    '';
    postfix = ''
      enabled = true
      mode = aggressive
    '';
  };
}

Consider giving Nix/NixOS a try! <3