diff options
| author | Max Audron <audron@cocaine.farm> | 2025-10-10 11:58:28 +0200 |
|---|---|---|
| committer | Max Audron <audron@cocaine.farm> | 2025-10-10 11:58:28 +0200 |
| commit | 5b8929435cb955169d7d497fc8d759e50d5f67ff (patch) | |
| tree | ae3340ef4bb544dfbb9822c0b3c7ad37f344f7c6 /modules/mailserver | |
| parent | replace dns bgp anouncement (diff) | |
setup mailserver
Diffstat (limited to 'modules/mailserver')
| -rw-r--r-- | modules/mailserver/default.nix | 209 |
1 files changed, 185 insertions, 24 deletions
diff --git a/modules/mailserver/default.nix b/modules/mailserver/default.nix index 9188129..30e4506 100644 --- a/modules/mailserver/default.nix +++ b/modules/mailserver/default.nix @@ -1,44 +1,205 @@ -{ config, lib, pkgs, ...}: +{ + config, + lib, + pkgs, + nixpkgs-unstable, + ... +}: { - mailserver = { + disabledModules = [ "services/mail/stalwart-mail.nix" ]; + imports = [ "${nixpkgs-unstable}/nixos/modules/services/mail/stalwart-mail.nix" ]; + + services.stalwart-mail = { enable = true; + package = pkgs.unstable.stalwart-mail.override { stalwartEnterprise = true; }; + openFirewall = true; - fqdn = "mail.vapor.systems"; - domains = [ "vapor.systems" ]; - - # A list of all login accounts. To create the password hashes, use - # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' - loginAccounts = { - # "user1@example.com" = { - # hashedPasswordFile = "/a/file/containing/a/hashed/password"; - # aliases = ["postmaster@example.com"]; - # }; - # "user2@example.com" = { ... }; - }; + settings = { + config = { + local-keys = [ + "store.*" + "directory.*" + "tracer.*" + "!server.blocked-ip.*" + "!server.allowed-ip.*" + "server.*" + "authentication.fallback-admin.*" + "cluster.*" + "config.local-keys.*" + "storage.data" + "storage.blob" + "storage.lookup" + "storage.fts" + "storage.directory" + "certificate.*" + "webadmin.*" + "metrics.prometheus.*" + "resolver.*" + "http.hsts" + ]; + }; - ldap = { - enable = true; - uris = [ "ldaps://ettves:636" ]; + certificate."mail-vapor-systems" = { + cert = "%{file:/var/lib/acme/mail.vapor.systems/fullchain.pem}%"; + private-key = "%{file:/var/lib/acme/mail.vapor.systems/key.pem}%"; + }; + + spam-filter = lib.mkForce {}; - bind = { - dn = "cn=mail,ou=users,dc=mail,dc=vapor,dc=systems"; - passwordFile = "/etc/secrets/ldap"; + http = { + hsts = true; }; - searchBase = "dc=mail,dc=vapor,dc=systems"; - }; + metrics.prometheus = { + enable = true; + auth = { + username = "prometheus"; + secret = "%{file:/etc/secrets/prometheus}%"; + }; + }; + + server = { + hostname = "mail.vapor.systems"; + + tls = { + enable = true; + implicit = true; + timeout = "1m"; + disable-protocols = [ "TLSv1.2" ]; + disable-ciphers = [ + "TLS13_AES_256_GCM_SHA384" + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" + ]; + ignore-client-order = true; + }; + + listener = { + smtp = { + bind = [ + "0.0.0.0:25" + "[2a01:4f8:1c1c:3ce7::1]:25" + ]; + protocol = "smtp"; + }; + submission = { + bind = [ + "0.0.0.0:587" + "[2a01:4f8:1c1c:3ce7::1]:587" + ]; + protocol = "smtp"; + }; + submissions = { + bind = [ + "0.0.0.0:465" + "[2a01:4f8:1c1c:3ce7::1]:465" + ]; + protocol = "smtp"; + tls = { + enable = true; + implicit = true; + }; + }; + + imap = { + bind = [ + "0.0.0.0:993" + "[2a01:4f8:1c1c:3ce7::1]:993" + ]; + protocol = "imap"; + tls = { + enable = true; + implicit = true; + }; + }; + + management_plain = { + bind = [ + "0.0.0.0:80" + "[2a01:4f8:1c1c:3ce7::1]:80" + ]; + protocol = "http"; + }; + management = { + bind = [ + "0.0.0.0:443" + "[2a01:4f8:1c1c:3ce7::1]:443" + ]; + protocol = "http"; + tls = { + enable = true; + implicit = true; + }; + }; + }; - certificateScheme = "acme"; + }; + + storage.directory = "internal"; + + directory = { + ldap = { + type = "ldap"; + url = "ldap://10.10.0.1:389"; + timeout = "30s"; + tls.enable = false; + + base-dn = "dc=mail,dc=vapor,dc=systems"; + + bind = { + dn = "cn=mail,ou=users,dc=mail,dc=vapor,dc=systems"; + secret = "%{file:/etc/secrets/ldap}%"; + auth = { + method = "template"; + template = "cn={local},ou=users,dc=mail,dc=vapor,dc=systems"; + search = true; + }; + }; + + filter = { + name = "(&(|(objectClass=person)(objectClass=group))(sAMAccountName=?))"; + email = "(&(|(objectClass=person)(objectClass=group))(|(mail=?)(mailAlias=?)))"; + }; + + attributes = { + name = "sAMAccountName"; + class = "objectClass"; + description = [ + "displayName" + ]; + secret = "userPassword"; + groups = [ "memberOf" ]; + email = "mail"; + email-alias = "mailAlias"; + quota = "diskQuota"; + }; + }; + }; + + authentication = { + fallback-admin = { + user = "admin"; + secret = "$6$W2nCPyf1a./fdBxp$yLaBwQDxQqj00UnH9hR3XN8NIXGd.X/ts.dKVKjSWsd8DPJbn/YUnFGUAaoTX5jbeRi76qeFnCVLARdDJKLgA/"; + }; + }; + }; }; secrets = { - minecraft = { + ldap = { source = ../../secrets/authentik/mail; dest = "/etc/secrets/ldap"; + owner = config.users.users.stalwart-mail.name; + }; + prometheus = { + source = ../../secrets/prometheus; + dest = "/etc/secrets/prometheus"; + owner = config.users.users.stalwart-mail.name; }; }; + users.users.stalwart-mail.extraGroups = [ "acme" ]; + security.acme.certs = { "mail.vapor.systems" = { }; }; |