mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: add preliminary maddy configuration

Browse source
This commit is contained in:
oddlama 2024-04-11 17:08:40 +02:00
parent ea490a4379
commit ee82d91214
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 217 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
flake.lock generated
View file

@ -1053,11 +1053,11 @@
"pre-commit-hooks": "pre-commit-hooks_4" "pre-commit-hooks": "pre-commit-hooks_4"
}, },
"locked": { "locked": {
"lastModified": 1710447185, "lastModified": 1712774101,
"narHash": "sha256-M63b7f5dnGtLAZmgzSepQvcVA++QRJ+h8fSlyowgYcI=", "narHash": "sha256-t58qLvRLjrekfnHWS5Un5LXQJCrLeycKcuPRtoVqJbw=",
"owner": "oddlama", "owner": "oddlama",
"repo": "nixos-extra-modules", "repo": "nixos-extra-modules",
"rev": "a4f79d7479bf63fb99e1d19cb6502feabc2854c3", "rev": "0f4e5f7391532ddf105020a5be75421ea2e4fdc7",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
hosts/envoy/default.nix
View file

@ -9,6 +9,7 @@
./acme.nix ./acme.nix
./fs.nix ./fs.nix
./net.nix ./net.nix
./maddy.nix
]; ];
boot.mode = "bios"; boot.mode = "bios";

213
hosts/envoy/maddy.nix Normal file
View file

@ -0,0 +1,213 @@
{
config,
pkgs,
lib,
...
}: let
mailDomains = config.repo.secrets.global.domains.mail;
primaryDomain = mailDomains.primary;
maddyBackupDir = "/var/cache/backups/maddy";
in {
systemd.tmpfiles.settings."10-maddy".${maddyBackupDir}.d = {
inherit (config.services.maddy) user group;
mode = "0770";
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/maddy";
inherit (config.services.maddy) user group;
mode = "0750";
}
];
# For each mail domain, add MTA STS entry via nginx
# FIXME: autoconfig
services.nginx.virtualHosts = lib.genAttrs (map (x: "mta-sts.${x}") mailDomains.all) (_x: {
forceSSL = true;
useACMEWildcardHost = true;
locations."=/.well-known/mta-sts.txt".alias = pkgs.writeText "mta-sts.txt" ''
version: STSv1
mode: enforce
mx: mx1.${primaryDomain}
max_age: 86400
'';
});
networking.firewall.allowedTCPPorts = [25 465 993];
services.maddy = {
enable = true;
hostname = "mx1.${primaryDomain}";
inherit primaryDomain;
localDomains = mailDomains.all;
tls = {
loader = "file";
certificates = [
{
keyPath = "${config.security.acme.certs.${primaryDomain}.directory}/key.pem";
certPath = "${config.security.acme.certs.${primaryDomain}.directory}/fullchain.pem";
}
];
};
#ensureCredentials = {
# "me@${primaryDomain}".passwordFile = config.age.secrets.patrickPasswd.path;
#};
#ensureAccounts = [
# "me@${primaryDomain}"
#];
config =
/*
bash
*/
''
auth.pass_table local_authdb {
table sql_table {
driver sqlite3
dsn mailboxes.db
table_name users
}
}
storage.imapsql local_mailboxes {
driver sqlite3
dsn imap.db
}
table.chain local_rewrites {
optional_step sql_query {
driver sqlite
dsn mailboxes.db
lookup "SELECT alias FROM aliases WHERE address = $1"
}
}
msgpipeline local_routing {
destination $(local_domains) {
modify {
replace_rcpt &local_rewrites
}
deliver_to &local_mailboxes
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
# ----------------------------------------------------------------------------
# Endpoints
imap tls://0.0.0.0:993 {
auth &local_authdb
storage &local_mailboxes
}
# SMTP for incoming mails from other servers.
# Allows anyone to connect and give us local mail, but doesn't allow message relaying.
smtp tcp://0.0.0.0:25 {
limits {
# Up to 20 msgs/sec across max. 10 SMTP connections.
all rate 20 1s
all concurrency 10
}
dmarc yes
max_message_size 256M
check {
require_mx_record
dkim
spf
}
source $(local_domains) {
reject 501 5.1.8 "Use Submission for outgoing SMTP"
}
default_source {
destination $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
}
# Submission with implicit TLS for authenticated users.
# Allows only authenticated users, and allows message relaying.
# Contrary to popular belief, port 465 is [NOT deprecated](https://datatracker.ietf.org/doc/html/rfc8314#section-7.3),
# and has been assigned for "Message Submission over TLS protocol",
# I neither need nor want to use STARTTLS.
submission tls://0.0.0.0:465 {
limits {
# Up to 50 msgs/sec across any amount of SMTP connections.
all rate 50 1s
}
auth &local_authdb
source $(local_domains) {
check {
authorize_sender {
prepare_email &local_rewrites
user_to_email identity
}
}
destination $(local_domains) {
modify {
dkim $(local_domains) default
}
deliver_to &local_routing
}
default_destination {
modify {
dkim $(local_domains) default
}
deliver_to &remote_queue
}
}
default_source {
reject 501 5.1.8 "Non-local sender domain"
}
}
# ----------------------------------------------------------------------------
# Outbound configuration
target.queue remote_queue {
target &outbound_delivery
autogenerated_msg_domain $(primary_domain)
bounce {
destination $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
}
}
}
target.remote outbound_delivery {
limits {
# Up to 20 msgs/sec across max. 10 SMTP connections
# for each recipient domain.
destination rate 20 1s
destination concurrency 10
}
mx_auth {
dane
mtasts {
cache fs
fs_dir mtasts_cache/
}
local_policy {
min_tls_level encrypted
min_mx_level none
}
}
}
'';
};
}

BIN
secrets/global.nix.age
View file

Binary file not shown.