-
Notifications
You must be signed in to change notification settings - Fork 1
/
mailserver.nix
105 lines (95 loc) · 2.93 KB
/
mailserver.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.eilean;
domain = config.networking.domain;
subdomain = "mail.${domain}";
in {
options.eilean.mailserver = {
enable = mkEnableOption "mailserver";
systemAccountPasswordFile = mkOption {
type = types.nullOr types.str;
default = null;
};
};
config = mkIf cfg.mailserver.enable {
security.acme-eon.certs."${subdomain}" = lib.mkIf cfg.acme-eon {
group = "turnserver";
reloadServices = [ "postfix.service" "dovecot.service" ];
};
mailserver = {
enable = true;
fqdn = subdomain;
domains = [ "${domain}" ];
loginAccounts = {
"system@${domain}" = {
passwordFile = cfg.mailserver.systemAccountPasswordFile;
aliases = [
(mkIf cfg.gitea.enable "git@${domain}")
(mkIf cfg.mastodon.enable "mastodon@${domain}")
];
};
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = if cfg.acme-eon then "manual" else "acme-nginx";
certificateFile = lib.mkIf cfg.acme-eon "${
config.security.acme-eon.certs.${subdomain}.directory
}/fullchain.pem";
keyFile = lib.mkIf cfg.acme-eon
"${config.security.acme-eon.certs.${subdomain}.directory}/key.pem";
localDnsResolver = false;
};
services.nginx.enable = true;
services.nginx.virtualHosts."${config.mailserver.fqdn}".extraConfig = ''
return 301 $scheme://${domain}$request_uri;
'';
systemd.services.dovecot2 = lib.mkIf cfg.acme-eon {
wants = [ "acme-eon-${subdomain}.service" ];
after = [ "acme-eon-${subdomain}.service" ];
};
systemd.services.postfix = lib.mkIf cfg.acme-eon {
wants = [ "acme-eon-${subdomain}.service" ];
after = [ "acme-eon-${subdomain}.service" ];
};
services.postfix.config = {
smtpd_tls_protocols =
mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtp_tls_protocols =
mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtpd_tls_mandatory_protocols =
mkForce "TLSv1.3, !TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
smtp_tls_mandatory_protocols =
mkForce "TLSv1.3, !TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
};
eilean.dns.enable = true;
eilean.services.dns.zones.${config.networking.domain}.records = [
{
name = "mail";
type = "A";
value = cfg.serverIpv4;
}
{
name = "mail";
type = "AAAA";
value = cfg.serverIpv6;
}
{
name = "@";
type = "MX";
value = "10 mail";
}
{
name = "@";
type = "TXT";
value = ''"v=spf1 a:mail.${config.networking.domain} -all"'';
}
{
name = "_dmarc";
ttl = 10800;
type = "TXT";
value = ''"v=DMARC1; p=reject"'';
}
];
};
}