diff --git a/flake.lock b/flake.lock index 66b8058..6fbe8aa 100644 --- a/flake.lock +++ b/flake.lock @@ -16,22 +16,6 @@ "type": "github" } }, - "blobs": { - "flake": false, - "locked": { - "lastModified": 1604995301, - "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", - "owner": "simple-nixos-mailserver", - "repo": "blobs", - "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", - "type": "gitlab" - }, - "original": { - "owner": "simple-nixos-mailserver", - "repo": "blobs", - "type": "gitlab" - } - }, "crane": { "inputs": { "flake-compat": [ @@ -119,22 +103,6 @@ "type": "github" } }, - "flake-compat_3": { - "flake": false, - "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -203,11 +171,11 @@ ] }, "locked": { - "lastModified": 1688302761, - "narHash": "sha256-YIYKeX3YfoAIg9DTe6cl1ga87rDCNDZugdGuqsvEN30=", + "lastModified": 1688552611, + "narHash": "sha256-pV/1/AU1l5CNFeKmdJ1jofcaKHhtKAbxY4gazeCyoSo=", "owner": "nix-community", "repo": "home-manager", - "rev": "c85d9137db45a1c9c161f4718b13cc3bd4cbd173", + "rev": "b23c7501f7e0a001486c9a5555a6c53ac7b08e85", "type": "github" }, "original": { @@ -333,11 +301,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1688231357, - "narHash": "sha256-ZOn16X5jZ6X5ror58gOJAxPfFLAQhZJ6nOUeS4tfFwo=", + "lastModified": 1688500189, + "narHash": "sha256-djYYiY4lzJOlXOnTHytH6BUugrxHDZjuGxTSrU4gt4M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "645ff62e09d294a30de823cb568e9c6d68e92606", + "rev": "78419edadf0fabbe5618643bd850b2f2198ed060", "type": "github" }, "original": { @@ -346,36 +314,6 @@ "type": "indirect" } }, - "nixpkgs-22_11": { - "locked": { - "lastModified": 1669558522, - "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-22.11", - "type": "indirect" - } - }, - "nixpkgs-23_05": { - "locked": { - "lastModified": 1684782344, - "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-23.05", - "type": "indirect" - } - }, "nixpkgs-lib": { "locked": { "lastModified": 1680397293, @@ -485,7 +423,6 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "purge": "purge", - "simple-nixos-mailserver": "simple-nixos-mailserver", "sops-nix": "sops-nix", "trucksimulatorbot": "trucksimulatorbot" } @@ -515,31 +452,6 @@ "type": "github" } }, - "simple-nixos-mailserver": { - "inputs": { - "blobs": "blobs", - "flake-compat": "flake-compat_3", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-22_11": "nixpkgs-22_11", - "nixpkgs-23_05": "nixpkgs-23_05", - "utils": "utils_2" - }, - "locked": { - "lastModified": 1688064897, - "narHash": "sha256-Q3CZc6ZfC4KpjGWVPsrofFgxor+UjqhbFBSi7YmHVvI=", - "owner": "simple-nixos-mailserver", - "repo": "nixos-mailserver", - "rev": "0c1801b48995ec6909e040abedaa56a64f0db430", - "type": "gitlab" - }, - "original": { - "owner": "simple-nixos-mailserver", - "repo": "nixos-mailserver", - "type": "gitlab" - } - }, "sops-nix": { "inputs": { "nixpkgs": [ @@ -610,21 +522,6 @@ "repo": "flake-utils", "type": "github" } - }, - "utils_2": { - "locked": { - "lastModified": 1605370193, - "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5021eac20303a61fafe17224c087f5519baed54d", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index fe78703..f3a84cc 100644 --- a/flake.nix +++ b/flake.nix @@ -44,10 +44,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - simple-nixos-mailserver = { - url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = @@ -63,7 +59,6 @@ , lanzaboote , purge , trucksimulatorbot - , simple-nixos-mailserver , ... }@attrs: { packages.x86_64-linux = { @@ -124,7 +119,6 @@ sops-nix.nixosModules.sops purge.nixosModules.default trucksimulatorbot.nixosModules.default - simple-nixos-mailserver.nixosModules.default ]; }; vm = nixpkgs.lib.nixosSystem { diff --git a/hosts/falkenstein-1/modules/mail/default.nix b/hosts/falkenstein-1/modules/mail/default.nix index 2424eec..9fbc150 100644 --- a/hosts/falkenstein-1/modules/mail/default.nix +++ b/hosts/falkenstein-1/modules/mail/default.nix @@ -1,33 +1,200 @@ -{ config, ... }: +{ config, pkgs, ... }: + +let + domain = "rfive.de"; + hostname = "falkenstein.vpn.${domain}"; + rspamd-domain = "rspamd.${domain}"; +in { sops.secrets."mail/rouven".owner = config.users.users.postfix.name; sops.secrets."rspamd".owner = config.users.users.rspamd.name; - mailserver = rec { - enable = true; - fqdn = "falkenstein.vpn.rfive.de"; - domains = [ "rfive.de" ]; - extraVirtualAliases = { - "root@rfive.de" = "rouven@rfive.de"; - "abuse@rfive.de" = "rouven@rfive.de"; - "postmaster@rfive.de" = "rouven@rfive.de"; - }; - loginAccounts = { - "rouven@rfive.de" = { - name = "Rouven Seifert"; - hashedPasswordFile = config.sops.secrets."mail/rouven".path; + networking.firewall.allowedTCPPorts = [ + 25 # insecure SMTP + 465 + 587 # SMTP + 993 # IMAP + 4190 # sieve + ]; + users.users.postfix.extraGroups = [ "opendkim" ]; + users.users.rouven = { + description = "Rouven Seifert"; + isNormalUser = true; + }; + + services = { + postfix = { + enable = true; + enableSubmission = true; + enableSubmissions = true; + hostname = "${hostname}"; + domain = "${domain}"; + origin = "${domain}"; + destination = [ "${hostname}" "${domain}" "localhost" ]; + networks = [ "127.0.0.1" "141.30.30.169" ]; + sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; + sslKey = "/var/lib/acme/${hostname}/key.pem"; + + extraAliases = '' + postmaster: root + abuse: postmaster + ''; + config = { + home_mailbox = "Maildir/"; + smtp_use_tls = true; + smtpd_use_tls = true; + smtpd_tls_protocols = [ + "!SSLv2" + "!SSLv3" + "!TLSv1" + "!TLSv1.1" + ]; + smtpd_recipient_restrictions = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_unauth_destination" + "reject_non_fqdn_sender" + "reject_non_fqdn_recipient" + "reject_unknown_sender_domain" + "reject_unknown_recipient_domain" + "reject_unauth_destination" + "reject_unauth_pipelining" + "reject_invalid_hostname" + ]; + smtpd_relay_restrictions = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_unauth_destination" + ]; + alias_maps = [ "hash:/etc/aliases" ]; + smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; + non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ]; + smtpd_sasl_auth_enable = true; + smtpd_sasl_path = "/var/lib/postfix/auth"; + smtpd_sasl_type = "dovecot"; + local_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp"; }; }; - certificateScheme = "acme-nginx"; + + dovecot2 = { + enable = true; + enableImap = true; + enableQuota = false; + enableLmtp = true; + mailLocation = "maildir:~/Maildir"; + sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; + sslServerKey = "/var/lib/acme/${hostname}/key.pem"; + protocols = [ "imap" "sieve" ]; + mailPlugins = { + perProtocol = { + imap = { + enable = [ ]; + }; + lmtp = { + enable = [ "sieve" ]; + }; + }; + }; + mailboxes = { + Spam = { + auto = "create"; + specialUse = "Junk"; + }; + Sent = { + auto = "create"; + specialUse = "Sent"; + }; + Drafts = { + auto = "create"; + specialUse = "Drafts"; + }; + Trash = { + auto = "create"; + specialUse = "Trash"; + }; + }; + modules = [ + pkgs.dovecot_pigeonhole + ]; + extraConfig = '' + auth_username_format = %Ln + userdb { + driver = passwd + args = blocking=no + } + service auth { + unix_listener /var/lib/postfix/auth { + group = postfix + mode = 0660 + user = postfix + } + } + service managesieve-login { + inet_listener sieve { + port = 4190 + } + + service_count = 1 + } + service lmtp { + unix_listener dovecot-lmtp { + group = postfix + mode = 0600 + user = postfix + } + client_limit = 1 + } + ''; + }; + + opendkim = { + enable = true; + domains = "csl:${domain}"; + selector = "falkenstein"; + configFile = pkgs.writeText "opendkim-config" '' + UMask 0117 + ''; + }; + rspamd = { + enable = true; + postfix.enable = true; + locals = { + "worker-controller.inc".source = config.sops.secrets."rspamd".path; + "redis.conf".text = '' + read_servers = "127.0.0.1"; + write_servers = "127.0.0.1"; + ''; + }; + }; + redis = { + vmOverCommit = true; + servers.rspamd = { + enable = true; + port = 6379; + }; + }; }; - services.rspamd.locals."worker-controller.inc".source = config.sops.secrets."rspamd".path; - services.nginx.virtualHosts."rspamd.rfive.de" = { - enableACME = true; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/"; + security.acme.certs."${domain}" = { + reloadServices = [ + "postfix.service" + "dovecot2.service" + ]; + }; + + services.nginx.virtualHosts = { + "${hostname}" = { + enableACME = true; + forceSSL = true; + }; + "rspamd.rfive.de" = { + enableACME = true; + forceSSL = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:11334"; + proxyWebsockets = true; + }; }; }; }; diff --git a/hosts/thinkpad/modules/virtualisation/default.nix b/hosts/thinkpad/modules/virtualisation/default.nix index 7b3e795..b4a5eae 100644 --- a/hosts/thinkpad/modules/virtualisation/default.nix +++ b/hosts/thinkpad/modules/virtualisation/default.nix @@ -54,6 +54,7 @@ let in { + boot.kernelParams = [ "intel_iommu=on" ]; virtualisation.libvirtd.enable = true; virtualisation.spiceUSBRedirection.enable = true; diff --git a/users/rouven/modules/accounts/default.nix b/users/rouven/modules/accounts/default.nix index 96bd23e..9b59027 100644 --- a/users/rouven/modules/accounts/default.nix +++ b/users/rouven/modules/accounts/default.nix @@ -75,8 +75,8 @@ in extraConfig.Create = "near"; }; channels.junk = { - nearPattern = "Junk"; - farPattern = "Junk"; + nearPattern = "Spam"; + farPattern = "Spam"; extraConfig.Create = "near"; }; channels.drafts = {