Gonne/nixConfig
1
0
Fork 0
forked from Fachschaft/nixConfig
Code Pull requests Activity
nixConfig/nixos/modules/mail.nix

180 lines
6.1 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
config,
lib,
# pkgs,
...
}: let
inherit
(lib)
mkIf
mkEnableOption
mkOption
;
inherit (lib.types) str;
cfg = config.services.mathebau-mail;
in {
options.services.mathebau-mail = {
enable = mkEnableOption "mathebau mail service";
siteOwner = mkOption {
type = str;
};
};
config = mkIf cfg.enable {
services = {
stalwart-mail = {
enable = true;
openFirewall = true;
settings = {
server = {
lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO.
listener = {
"smtp" = {
bind = ["[::]:25"];
protocol = "smtp";
};
"submissions" = {
# Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618
bind = ["[::]:465"];
protocol = "smtp";
tls.implicit = true;
};
"imaptls" = {
bind = ["[::]:993"];
protocol = "imap";
tls.implicit = true;
};
"management" = {
bind = ["[::]:80"]; # This must also bind publically for ACME to work.
protocol = "http";
};
};
};
acme.letsencrypt = {
directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated
challenge = "http-01";
contact = ["root@mathebau.de"];
domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"];
default = true;
};
auth = {
# TODO check if can be removed
dkim.verify = "relaxed";
arc.verify = "relaxed";
dmarc.verify = "relaxed";
iprev.verify = "relaxed";
spf.verify.ehlo = "relaxed";
spf.verify.mail-from = "relaxed";
};
# tracer.stdout.level = "trace";
queue.outbound = {
# see https://stalw.art/docs/smtp/outbound/routing/ relay host example
next-hop = [
{
"if" = "is_local_domain('', rcpt_domain)";
"then" = "'local'";
}
{"else" = "'relay'";}
];
tls.mta-sts = "disable";
tls.dane = "disable";
};
remote."relay" = {
address = "mailout.hrz.tu-darmstadt.de";
port = 25;
protocol = "smtp";
tls.implicit = false;
tls.allow-invalid-certs = false;
};
/*
sieve.trusted.scripts = {
redirects = ''
require ["envelope", "include"]; include :global "track-replies"; if envelope :is "to" "gonne@koma89.tu-darmstadt.de" { redirect "gonne@mathebau.de"; }
'';
};
session.data.script = "'redirects'";
*/
authentication.fallback-admin = {
user = "admin";
secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg";
};
};
};
};
environment.persistence.${config.impermanence.name} = {
directories = [
"/var/lib/stalwart-mail"
];
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
};
# Update HRZ allowlist
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
# will stop working if no valid TUIDs are associated to our domain.
/*
systemd.timers."mailAllowlist" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "5m"; # Run every 5 minutes
OnUnitActiveSec = "5m";
RandomizedDelaySec = "2m"; # prevent overload on regular intervals
Unit = "mailAllowlist.service";
};
};
systemd.services."mailAllowlist" = {
description = "Allowlist update: Post the mail addresses to the HRZ allowllist";
script = ''
# Get the mail addresses' local-part
#TODO
# Post local-parts to HRZ
${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${cfg.domain} -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@/tmp/addresses -F meldungen=voll
# Cleanup
rm /tmp/addresses
'';
serviceConfig = {
Type = "oneshot";
User = "stalwart-mail";
NoNewPrivileges = true;
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
PrivateTmp = true;
ProtectHome = true;
ReadOnlyPaths = "/";
ReadWritePaths = "/tmp";
InaccessiblePaths = "-/lost+found";
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
};
};
*/
# Backups
/*
services.borgbackup.jobs.mail = {
paths = [
"/var/lib/stalwart-mail"
];
encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
environment = {
BORG_RSH = "ssh -i /run/secrets/backupKey";
# Borg ensures that backups are not created on random drives that just happen to contain a Borg repository.
# https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
# We don't want this in order to not need to persist borg cache and simplify new deployments.
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
};
repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33
startAt = "daily";
user = "root";
group = "root";
};
*/
};
}
View git blame Copy permalink